Infinxt iEdge 100 OS Command Injection Vulnerability in Troubleshoot Module
Vulnerability
A command injection vulnerability has been identified in the Infinxt iEdge 100, version 2.1.32, within the Troubleshoot module. The issue arises in the tracertVal parameter of the Tracert function, allowing attackers to execute arbitrary commands on the host operating system via the vulnerable application.
Impact
Exploitation of this vulnerability could lead to unauthorized command execution on the host operating system, potentially allowing attackers to access sensitive data, compromise the system, or gain full control over the affected server.
Reproduction
To reproduce this vulnerability, log into the console and navigate to the Troubleshoot section, then select the Tracert option. Enter an IP address along with a payload designed to bypass restrictions, such as one that exploits the command execution feature. After submitting the request, capture it and attempt to retrieve a file, such as the password file, through the tracertVal parameter. The contents of the requested file should be returned in the HTTP response.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.