Netcore Routers Command Injection Vulnerability in HTTP Header Handler

A critical command injection vulnerability has been identified in several Netcore router models, including the NBR1005GPEV2, B6V2, COVER5, NAP830, NAP930, NBR100V2, and NBR200V2, all running firmware prior to 20250508. The vulnerability arises in the HTTP Header Handler component, specifically within the 'passwd_set' function of the 'routerd' file. This issue allows for arbitrary command execution by manipulating the 'pwd' argument, and can be exploited remotely.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/ubus' with a JSON payload that includes the 'passwd_set' method. The 'pwd' parameter can be crafted to include a command, such as 'mkdir', which will be executed on the device. This exploitation can be automated with a script or tool that interacts with the device's web interface.

Remediation

Netcore users are advised to contact Netcore (Netis Technology) technical support to address this vulnerability.