CVE-2024-57225
Published: 10 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-57225 is a command injection vulnerability affecting the Linksys E7350 router at version 1.1.00.032. The issue resides in the reset_wifi function, where the devname parameter fails to properly sanitize user input, allowing injection of arbitrary commands. Classified under CWE-77, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
Remote attackers can exploit this vulnerability over the network without requiring authentication, privileges, or user interaction. Exploitation enables full command execution on the device, compromising confidentiality, integrity, and availability to a high degree, which could lead to complete router takeover, data theft, or further network pivoting.
Details on the vulnerability, including a proof-of-concept, are documented in the GitHub repository at https://github.com/yanggao017/vuln/blob/main/Linksys/E7350/CI_7_reset_wifi/README.md. No official vendor advisories or patch information are specified in available data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection via the devname parameter in the router's reset_wifi web function enables exploitation of a public-facing application for remote code execution.