NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
The vulnerability results from the lack of proper validation and sanitization of input data passed in the password parameter on the device's login page. An attacker can inject malicious system commands directly into this field, which are then executed by the device with the privileges of the process handling the login. The attack requires no authentication or user interaction, and the network vector means it can be performed remotely.
An attacker can remotely execute arbitrary system commands on the vulnerable device, leading to full takeover of the router, loss of confidentiality and integrity of data, and potential disruption of its operation.
Patches available from the manufacturer should be applied in accordance with the references. Until the update is implemented, it is recommended to restrict access to the device's administrative interface solely to trusted local networks and block access from the WAN.
NETIS SYSTEMS MW5360 Firmware version V1.0.1.3031
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNetis Systems Mw5360
HWNetis-Systemswszystkie wersjeNetis Systems Mw5360 Firmware
OSNetis-Systems1.0.1.3031
Related vulnerabilities
Command Injection w Netis-Systems MEX605 — zdalne wykonanie poleceń OS
Command injection w Netis WF2780 przez parametr wps_ap_ssid5g
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the ddnsDomainName para...
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the pin_host parameter ...
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the ntpServIP parameter...