Nexxt Solutions NCM-X1800 Mesh Router Authenticated Command Injection Vulnerability in Firmware Update Feature
Vulnerability
An authenticated command injection vulnerability has been identified in the Nexxt Solutions NCM-X1800 Mesh Router, specifically in firmware versions UV1.2.7 and below. The vulnerability arises in the firmware update feature, where the endpoints '/web/um_fileName_set.cgi' and '/web/um_web_upgrade.cgi' fail to properly sanitize the 'upgradeFileName' parameter. This oversight allows authenticated attackers to execute arbitrary operating system commands on the device, leading to remote code execution.
Impact
Exploitation of this vulnerability allows for remote code execution on the device, with the executed commands running as the root user. This could result in a full compromise of the device, including the potential installation of a persistent backdoor.
Reproduction
To reproduce this vulnerability, an authenticated user can send a request to the '/web/um_fileName_set.cgi' endpoint with a crafted 'upgradeFileName' parameter that includes injected OS commands. Once the command injection is successful, the injected commands will be executed on the device with root privileges.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.