Newtec/iDirect OS Command Injection Vulnerability Allowing Local Code Inclusion

Vulnerability

A vulnerability allowing improper neutralization of special elements used in OS command execution has been identified in Newtec/iDirect models NTC2218, NTC2250, and NTC2299, running Linux on PowerPC and ARM architectures. This vulnerability, present in versions 1.0.1.1 through 2.2.6.19, arises from the `commit_multicast` page in the modem's web administration interface. The page improperly parses incoming data before passing it to an `eval` statement in a bash script, enabling attackers to inject arbitrary shell commands. Exploitation of this vulnerability could lead to unauthorized code execution on the affected device.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.3

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.3

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Newtec/iDirect OS Command Injection Vulnerability Allowing Local Code Inclusion

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating