Nexxt Solutions NCM-X1800 Mesh Router Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in Nexxt Solutions NCM-X1800 Mesh Router, specifically in versions UV1.2.7 and prior. This vulnerability allows authenticated attackers to execute arbitrary commands on the device. The issue arises in the web management interface's ping and traceroute functionalities, particularly within the '/web/um_ping_set.cgi' endpoint. The application does not adequately sanitize user input in the 'Ping_host_text' parameter before it is passed to the underlying system command, enabling attackers to inject and execute arbitrary shell commands with root privileges.

Impact

Exploitation of this vulnerability leads to remote code execution on the device, with the injected commands being executed as the root user, resulting in full device compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the '/web/um_ping_set.cgi' endpoint with a crafted 'Ping_host_text' parameter that includes the desired shell commands. The lack of input sanitization will allow the injected commands to be executed on the device's operating system.