CVE-2024-57224
Published: 10 January 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2024-57224 is a command injection vulnerability (CWE-77) in the Linksys E7350 router running firmware version 1.1.00.032. The flaw resides in the apcli_do_enr_pin_wps function, where the ifname parameter fails to properly sanitize user input, allowing arbitrary command execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Remote attackers can exploit this vulnerability over the network without authentication, privileges, or user interaction. By crafting malicious requests to the affected function, an attacker can inject and execute arbitrary operating system commands on the router, potentially leading to full device compromise, data theft, persistent access, or use as a pivot point in the network.
A detailed proof-of-concept and vulnerability analysis is available in the GitHub repository at https://github.com/yanggao017/vuln/blob/main/Linksys/E7350/CI_3_apcli_do_enr_pin_wps/README.md. No official patches or mitigation guidance from Linksys or other advisories were referenced in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The command injection vulnerability in the router's apcli_do_enr_pin_wps function via the ifname parameter allows remote exploitation of a public-facing web application/service (T1190, T1210), enabling arbitrary command execution equivalent to network device CLI access (T1059.008).