ProSoft Technology ICX35-HWC Command Injection Vulnerability in Web Interface

A command injection vulnerability has been identified in the web user interface of ProSoft Technology ICX35-HWC cellular gateways, affecting versions through 1.3. This vulnerability allows remote attackers to inject and execute system commands by exploiting unvalidated input fields in the web interface. Successful exploitation grants root privileges, enabling arbitrary command execution on the device. The vulnerability can be exploited remotely via the cellular network, potentially using the compromised device as a platform for broader attacks.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device with root privileges. Given that the ICX35-HWC provides Internet connectivity through its cellular WAN port, a compromised gateway could be used as a launch point for attacks against other systems.

Remediation

Users are advised to update the firmware on their ICX35-HWC gateways to version 1.3 or later. The firmware update can be performed through ProSoft Connect or by downloading the firmware files from the ProSoft Technology website.