CVE-2024-53942
Published: 03 February 2025
Description
An issue was discovered on NRadio N8-180 NROS-1.9.2.n3.c5 devices. The /cgi-bin/luci/nradio/basic/radio endpoint is vulnerable to command injection via the 2.4 GHz and 5 GHz name parameters, allowing a remote attacker to execute arbitrary OS commands on the device (with root-level permissions) via crafted input.
Security Summary
CVE-2024-53942 is a command injection vulnerability (CWE-78) affecting NRadio N8-180 devices running firmware version NROS-1.9.2.n3.c5. The issue resides in the /cgi-bin/luci/nradio/basic/radio endpoint, where the 2.4 GHz and 5 GHz name parameters fail to properly sanitize user input, enabling injection of arbitrary OS commands. This flaw has a CVSS v3.1 base score of 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating medium severity due to its network accessibility but high attack complexity.
A remote attacker without authentication can exploit this vulnerability by crafting malicious requests to the vulnerable endpoint, achieving remote code execution with root-level permissions on the device. The high attack complexity stems from requirements like precise parameter manipulation for successful injection, but successful exploitation grants full command execution capabilities, potentially allowing persistence, data exfiltration, or further network compromise.
References for further details include a GitHub advisory at https://github.com/actuator/cve/blob/main/NRADIO/CVE-2024-53942.txt, a proof-of-concept GIF demonstration at https://github.com/actuator/cve/blob/main/NRADIO/N8-180Firmware-Version-NROS-1.9.2.n3.c5-blind-cmd-injection-outputRedirect.gif, and a vendor article at https://www.nradiowifi.net/article/9.html; no specific patch or mitigation guidance is detailed in the available information.
Details
- CWE(s)