cbcvebase.
CVE-2024-22729
published 2024-01-25

CVE-2024-22729: NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.78%
99.3th percentile
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.

Affected

1 ranges
VendorProductVersion rangeFixed in
netis-systemsmw5360_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/skk_set.cgi
  • Authorization header bypass: the router's login page authorization can be bypassed by simply deleting the authorization header. Detect unauthenticated POST requests to /cgi-bin/skk_set.cgi lacking an Authorization header.
  • Commands are injected into the 'password' parameter encoded in base64. Decode base64 values in the password POST parameter and inspect for shell metacharacters or OS commands (e.g., wget, curl).
  • Nuclei template uses an out-of-band (interactsh) HTTP callback via a wget payload to confirm exploitation. Monitor for outbound HTTP/DNS requests from Netis MW5360 devices to unknown external hosts.
  • Fingerprint vulnerable devices by checking for 'netis router' in the HTTP response body of the root page (GET /) before exploitation attempt.
  • ·All firmware versions up to V1.0.1.3442 are reported as vulnerable, not just the initially disclosed V1.0.1.3031.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.