Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the wps_ap_ssid5g parameter
The vulnerability lies in the wps_ap_ssid5g parameter, which is not properly validated before being passed to the system command interpreter (CWE-77: command injection). An attacker can craft a malicious network request containing embedded system commands in the value of the wps_ap_ssid5g parameter. Since the attack vector is network-based, it does not require authentication or user interaction, enabling remote attacks over the Internet or local network.
An attacker can gain full control of the device by executing arbitrary system commands, resulting in a breach of confidentiality, integrity, and availability of the device and the supported network.
Apply patches available from the manufacturer according to the references. As an interim risk mitigation measure, it is recommended to isolate the device from untrusted network traffic (e.g., restrict access to the administration panel through a firewall) until the firmware update is deployed.
Netis WF2780 firmware version v2.1.40144
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNetis Systems Wf2780
HWNetis-Systemswszystkie wersjeNetis Systems Wf2780 Firmware
OSNetis-Systems2.1.40144
Related vulnerabilities
Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command,...
A null pointer dereference vulnerability was discovered in Netis WF2780 v2.2.35445. The vulnerability exists i...
Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the config_sequence pa...
Command Injection w Netis-Systems MEX605 — zdalne wykonanie poleceń OS
Command injection w NETIS SYSTEMS MW5360 przez parametr hasła na stronie logowania