Primary

Context

ALLNET ALL-RUT22GW OS Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A command injection vulnerability has been identified in the ALLNET ALL-RUT22GW 4G LTE cellular router, specifically in version 3.3.8. The issue resides in the 'popen.cgi' endpoint, where user-supplied command parameters are executed without proper sanitization, allowing remote attackers to execute arbitrary operating system commands with root privileges. This vulnerability provides complete control over the affected device.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device with root privileges.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP GET request to the 'popen.cgi' endpoint, including a 'command' parameter with the desired OS command. The command will be executed on the device with root privileges, and the response will confirm the execution by returning the command's output.

Added: Dec 4, 2025, 8:22 PM

Updated: Dec 4, 2025, 8:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

1.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

1.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ALLNET ALL-RUT22GW OS Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating