+F FS010M OS Command Injection Vulnerability
Vulnerability
A vulnerability allowing OS command injection has been identified in the +F FS010M IoT device, in versions prior to V2.0.1_1101. This vulnerability allows a remote authenticated attacker to execute arbitrary OS commands. The issue arises from improper handling of special elements in OS command execution.
Impact
Exploitation of this vulnerability allows for arbitrary OS command execution by a remote authenticated attacker.
Reproduction
To reproduce this vulnerability, connect to the device's wireless or wired network. Log into the device's settings tool using either the 'administrator' or 'guest' account. Once logged in, access the command line interface (CLI) through the 'system' > 'terminal' menu. After performing specific operations, arbitrary OS commands can be executed. This vulnerability can also be reproduced by manipulating requests while logged in as an administrator.
Remediation
Users are advised to update the device's firmware to version V2.0.1_1101.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.