CVE-2024-57226
Published: 10 January 2025
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2024-57226 is a command injection vulnerability (CWE-77) affecting the Linksys E7350 router in version 1.1.00.032. The issue resides in the vif_enable function, where the iface parameter fails to properly sanitize user input, enabling injection of arbitrary commands.
Exploitation requires an attacker to have adjacent network access (AV:A) and low privileges (PR:L), with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored 8.0 under CVSS 3.1, potentially allowing full system compromise through arbitrary command execution in the context of the vulnerable function.
References point to a GitHub repository at https://github.com/yanggao017/vuln/blob/main/Linksys/E7350/CI_2_vif_enable/README.md, which documents the vulnerability and likely includes proof-of-concept details. No official advisories or patches are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection via the 'iface' parameter in the 'vif_enable' function of the Linksys E7350 router's web interface enables exploitation of a public-facing application (T1190) for remote command execution equivalent to network device CLI abuse (T1059.008).