CRITICAL🇵🇱 Wersja polska

CVE-2024-33792

CVSS 9.8v3.1pub. 2024-05-03upd. 2025-06-17

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the tracert page.

🤖 AI Analysis
How it works

An attacker sends a crafted payload to the 'tracert' (traceroute) diagnostic page available in the device's interface. User input passed through the interface is not properly validated or sanitized (CWE-20), allowing injection of additional system commands (CWE-78). As a result, malicious commands are executed with the privileges of the process handling the request at the router's operating system level.

Impact

An attacker can remotely take full control of the device by executing arbitrary OS commands — including modifying configuration, gaining access to transmitted network data, or using the device as an entry point for further attacks on the internal network.

Mitigation & patch

Apply patches available from the manufacturer according to the references provided. As a temporary measure, it is recommended to restrict access to the device's administrative interface exclusively to trusted hosts and to isolate the device from the public Internet.

Who is affected

Netis-Systems MEX605 with firmware version v2.00.06

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Netis Systems Mex605

    HW
    Netis-Systems
    wszystkie wersje
  • Netis Systems Mex605 Firmware

    OS
    Netis-Systems
    2.00.06
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2024-33791MEDIUM4.6ten sam produkt

A cross-site scripting (XSS) vulnerability in netis-systems MEX605 v2.00.06 allows attackers to execute arbitr...

CVE-2024-33793MEDIUM5.3ten sam produkt

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the p...

CVE-2024-25850CRITICAL9.8PL ✓ten sam vendor

Command injection w Netis WF2780 przez parametr wps_ap_ssid5g

CVE-2024-22729CRITICAL9.8PL ✓ten sam vendor

Command injection w NETIS SYSTEMS MW5360 przez parametr hasła na stronie logowania

CVE-2023-45466CRITICAL9.8ten sam vendor

Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the pin_host parameter ...