CRITICAL🇵🇱 Wersja polska

CVE-2024-25850

CVSS 9.8v3.1pub. 2024-02-22upd. 2025-04-03

Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the wps_ap_ssid5g parameter

🤖 AI Analysis
How it works

The vulnerability lies in the wps_ap_ssid5g parameter, which is not properly validated before being passed to the system command interpreter (CWE-77: command injection). An attacker can craft a malicious network request containing embedded system commands in the value of the wps_ap_ssid5g parameter. Since the attack vector is network-based, it does not require authentication or user interaction, enabling remote attacks over the Internet or local network.

Impact

An attacker can gain full control of the device by executing arbitrary system commands, resulting in a breach of confidentiality, integrity, and availability of the device and the supported network.

Mitigation & patch

Apply patches available from the manufacturer according to the references. As an interim risk mitigation measure, it is recommended to isolate the device from untrusted network traffic (e.g., restrict access to the administration panel through a firewall) until the firmware update is deployed.

Who is affected

Netis WF2780 firmware version v2.1.40144

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Netis Systems Wf2780

    HW
    Netis-Systems
    wszystkie wersje
  • Netis Systems Wf2780 Firmware

    OS
    Netis-Systems
    2.1.40144
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2021-26747CRITICAL9.8ten sam produkt

Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command,...

CVE-2025-50635HIGH7.5ten sam produkt

A null pointer dereference vulnerability was discovered in Netis WF2780 v2.2.35445. The vulnerability exists i...

CVE-2024-25851HIGH8.0ten sam produkt

Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the config_sequence pa...

CVE-2024-33792CRITICAL9.8PL ✓ten sam vendor

Command Injection w Netis-Systems MEX605 — zdalne wykonanie poleceń OS

CVE-2024-22729CRITICAL9.8PL ✓ten sam vendor

Command injection w NETIS SYSTEMS MW5360 przez parametr hasła na stronie logowania