CVE-2024-57227
Published: 10 January 2025
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2024-57227 is a command injection vulnerability (CWE-77) in the Linksys E7350 router running firmware version 1.1.00.032. The flaw exists in the apcli_do_enr_pbc_wps function, where the ifname parameter fails to properly sanitize user input, enabling arbitrary command execution. Published on January 10, 2025, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An attacker with adjacent network access and low privileges, such as those obtainable through an initial foothold on the local network, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact consequences across confidentiality, integrity, and availability, potentially granting full control over the affected router, including execution of arbitrary system commands.
Proof-of-concept details are documented in the GitHub repository at https://github.com/yanggao017/vuln/blob/main/Linksys/E7350/CI_4_apcli_do_enr_pbc_wps/README.md. No official vendor advisories or patches are referenced in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection via the ifname parameter in apcli_do_enr_pbc_wps enables exploitation of a public-facing router web interface (T1190) and arbitrary command execution on the network device CLI (T1059.008).