Primary

Context

Russound MBX-PRE-D67F OS Command Injection Vulnerability Allowing Root Command Execution

Vulnerability

An OS command injection vulnerability has been identified in Russound MBX-PRE-D67F firmware version 3.1.6. This vulnerability allows unauthenticated attackers to execute arbitrary commands as root by injecting malicious input into the hostname parameter of network configuration requests. The issue arises from inadequate sanitization of special characters used in operating system commands within the network configuration handler, facilitating remote code execution with elevated privileges.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary commands as root on the affected device.

Reproduction

The vulnerability can be reproduced by sending a specially crafted HTTP request to the device's network configuration interface, injecting malicious commands into the hostname parameter. No authentication is required to perform this action.

Added: Jul 31, 2025, 3:26 PM

Updated: Jul 31, 2025, 3:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.7

remediation

0.0

relevance

0.3

threat

1.6

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.7

remediation

0.0

relevance

0.3

threat

1.6

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Russound MBX-PRE-D67F OS Command Injection Vulnerability Allowing Root Command Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating