Netcomm NTC 6200 and NWL 222 Series Command Injection Vulnerability Allowing Remote Code Execution

A vulnerability allowing arbitrary command injection has been identified in the Netcomm NTC 6200 and NWL 222 series devices. This issue arises from multiple endpoints in the web interface, which is accessible for configuration by operators. The vulnerability is compounded by the use of insecure hardcoded passwords, enabling remote authenticated attackers to execute arbitrary code with elevated privileges. On the NWL 222 series, this vulnerability affects versions prior to 2.1.21.1, while all versions of the NTC 6200 series are vulnerable.

Impact

Exploitation of this vulnerability allows remote authenticated attackers to execute arbitrary commands with root privileges on the affected devices.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'http://<ip_of_device>/cgi-bin/ssh.cgi' endpoint. The request must include a command in the 'cmd' parameter. This can be done using curl with basic authentication. The injected command will be executed with root privileges, and the response can be redirected to a file for verification.

Remediation

Users of the NWL-222 series should upgrade to version 2.1.21.1. For the NTC-6200 series, no fixed version is available, but users should change default credentials where possible and limit network exposure.