Evenroute Iqrouter Firmware vulnerabilities
6 known vulnerabilities affecting evenroute/iqrouter_firmware.
Total CVEs
6
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH2
Vulnerabilities
Page 1 of 1
CVE-2020-11963P1CRITICALCVSS 9.8ExploitedPoC≤ 3.3.12020-04-21
CVE-2020-11963 [CRITICAL] CWE-78 CVE-2020-11963: IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the
IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure pa
nvd
CVE-2020-11967P2CRITICALCVSS 9.8PoC≤ 3.3.12020-04-21
CVE-2020-11967 [CRITICAL] CWE-862 CVE-2020-11967: In IQrouter through 3.3.1, remote attackers can control the device (restart network, reboot, upgrade
In IQrouter through 3.3.1, remote attackers can control the device (restart network, reboot, upgrade, reset) because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on t
nvd
CVE-2020-11966P2CRITICALCVSS 9.8PoC≤ 3.3.12020-04-21
CVE-2020-11966 [CRITICAL] CWE-521 CVE-2020-11966: In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers
In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the sys
nvd
CVE-2020-11968P3HIGHCVSS 7.5PoC≤ 3.3.12020-04-21
CVE-2020-11968 [HIGH] CWE-532 CVE-2020-11968: In the web-panel in IQrouter through 3.3.1, remote attackers can read system logs because of Incorre
In the web-panel in IQrouter through 3.3.1, remote attackers can read system logs because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE inva
nvd
CVE-2020-11964P3HIGHCVSS 7.5PoC≤ 3.3.12020-04-21
CVE-2020-11964 [HIGH] CWE-287 CVE-2020-11964: In IQrouter through 3.3.1, the Lua function diag_set_password in the web-panel allows remote attacke
In IQrouter through 3.3.1, the Lua function diag_set_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the sys
nvd
CVE-2020-11965P3CRITICALCVSS 9.8≤ 3.3.12020-04-21
CVE-2020-11965 [CRITICAL] CWE-287 CVE-2020-11965: In IQrouter through 3.3.1, there is a root user without a password, which allows attackers to gain f
In IQrouter through 3.3.1, there is a root user without a password, which allows attackers to gain full remote access via SSH. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes t
nvd