Digital China DCME-520 OS Command Injection Vulnerability in Web Management Interface

A critical OS command injection vulnerability has been identified in the Digital China DCME-520 gateway, affecting versions through 20250320. The issue arises from an unknown processing flaw in the file '/usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php', where the 'type_name' argument can be manipulated to inject and execute arbitrary commands on the operating system. This vulnerability can be exploited remotely, and while the primary injection point has been disclosed, other parameters may also be susceptible.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device, potentially leading to full control over the device.

Reproduction

To reproduce this vulnerability, log into the web management interface of a DCME-520 device. Navigate to the 'mon_merge_stat_hist.php' file within the 'function/audit/newstatistics' directory. Once there, send a request that includes the 'statset', 'type', and 'type_name' parameters. The 'type_name' parameter should be crafted to include a command injection payload, such as a command to echo data into a text file. After the request is processed, the injected command will be executed, and the output will be written to the specified file, verifying the successful exploitation of the vulnerability.