CRITICAL🇵🇱 Wersja polska

CVE-2024-10119

CVSS 9.8v3.1pub. 2024-10-18upd. 2024-11-01

The wireless router WRTM326 from SECOM does not properly validate a specific parameter. An unauthenticated remote attacker could execute arbitrary system commands by sending crafted requests.

🤖 AI Analysis
How it works

An attacker sends a specially crafted network request to the device containing malicious data in a parameter that is not properly validated by the router firmware. Lack of input data sanitization (CWE-78 — command injection) causes the transmitted commands to be executed directly by the device's operating system. The attack requires no authentication or user interaction, making it particularly dangerous.

Impact

An attacker can gain full control over the device — execute arbitrary system commands, modify network configuration, intercept network traffic, or use the router as an entry point for further infrastructure penetration (lateral movement).

Mitigation & patch

Apply patches available from the manufacturer according to the references (TWCERT/CC: https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html). Until updates are applied, it is recommended to restrict access to the router's management interface only to trusted IP addresses and isolate the device from the public Internet using a firewall.

Who is affected

SECOM WRTM326 wireless router (WRTM326 firmware); specific firmware versions indicated in the manufacturer's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zte Wrtm326

    HW
    Zte
    wszystkie wersje
  • Zte Wrtm326 Firmware

    OS
    Zte
    ≤ 2.3.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2022-39073CRITICAL9.8ten sam vendor

There is a command injection vulnerability in ZTE MF286R, Due to insufficient validation of the input paramete...

CVE-2022-39070CRITICAL9.8ten sam vendor

There is an access control vulnerability in some ZTE PON OLT products. Due to improper access control settings...

CVE-2022-23144CRITICAL9.1ten sam vendor

There is a broken access control vulnerability in ZTE ZXvSTB product. Due to improper permission control, atta...

CVE-2021-21748CRITICAL9.8ten sam vendor

ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerab...

CVE-2021-21749CRITICAL9.8ten sam vendor

ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerab...