CVE-2024-57223
Published: 10 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-57223 is a command injection vulnerability (CWE-77) affecting the Linksys E7350 router in version 1.1.00.032. The issue resides in the apcli_wps_gen_pincode function, where the ifname parameter fails to properly sanitize user input, allowing arbitrary command execution. Published on January 10, 2025, it carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.
Remote attackers can exploit this vulnerability without authentication by sending crafted requests to the affected function. Successful exploitation grants attackers the ability to execute arbitrary commands on the router's underlying operating system, potentially leading to complete device compromise, data theft, persistent access, or use as a pivot point in the network.
Mitigation details and a proof-of-concept are documented in the GitHub advisory at https://github.com/yanggao017/vuln/blob/main/Linksys/E7350/CI_6_apcli_wps_gen_pincode/README.md. No official vendor patches or workarounds are specified in available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection via the ifname parameter in the router's apcli_wps_gen_pincode function enables remote exploitation of a public-facing web application (T1190) and arbitrary command execution on the network device (T1059.008).