cbcvebase.
CVE-2024-45242
published 2024-10-24

CVE-2024-45242: EnGenius ENH1350EXT A8J-ENH1350EXT devices through 3.9.3.2_c1.9.51 allow (blind) OS Command Injection via shell metacharacters to the Ping or Speed Test…

PriorityP263high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
34.66%
98.2th percentile
EnGenius ENH1350EXT A8J-ENH1350EXT devices through 3.9.3.2_c1.9.51 allow (blind) OS Command Injection via shell metacharacters to the Ping or Speed Test utility. During the time of initial setup, the device creates an open unsecured network whose admin panel is configured with the default credentials of admin/admin. An unauthorized attacker in proximity to the Wi-Fi network can exploit this window of time to execute arbitrary OS commands with root-level permissions.

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/luci/;stok=8/d1314dd96049f7c37f1d2a405c3ea5e/admin/network/diag_ping/
  • Monitor HTTP GET requests targeting the /cgi-bin/luci/ endpoint with the diag_ping path and a stok session token, specifically inspecting the `pings` parameter for shell metacharacters (`;`, `\n`, `` ` ``, `|`, `$`) indicating OS command injection attempts.
  • During initial device setup, EnGenius ENH1350EXT creates an open unsecured Wi-Fi network with default credentials admin/admin. Monitor for admin panel access from unexpected or unauthenticated sources during this window, as exploitation can occur without prior authentication.
  • The Snort rule targets plaintext (non-TLS) HTTP traffic only; deploy detection at both perimeter and internal network segments to catch lateral exploitation attempts.
  • ·The stok session token value (`d1314dd96049f7c37f1d2a405c3ea5e`) embedded in the Snort rule URI pattern appears to be a specific example token from the PoC report. Real-world exploitation will use dynamically generated session tokens; detection logic should not rely solely on this static token value.
  • ·Exploitation is described as blind OS command injection, meaning no direct output is returned in the HTTP response. Detection based solely on response content inspection will be ineffective; focus on request-side indicators (URI path and parameter metacharacters).
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.