Dataphone A920 Remote Command Execution Vulnerability

A remote command execution vulnerability has been identified in the Dataphone A920, specifically in version 2025.07.161103. The issue arises from a service that accepts network packets without proper authentication or validation. Attackers can send crafted packets that exploit this lack of validation, leading the device to execute unintended commands within the context of the service's process.

Impact

Exploitation of this vulnerability allows for remote command execution, but only within the compromised service's process context, without escalating to full device root or system privileges.

Reproduction

The vulnerability can be reproduced by sending a custom TCP packet to the Dataphone A920's payment processing service. This can be done using a Python script that crafts packets with arbitrary data in certain header fields. The device accepts these packets without authentication and triggers the payment process, demonstrating that the service improperly trusts network inputs.

Remediation

It is recommended that the vendor implement strict input validation and authentication for packets processed by the service. This includes validating packet headers and payloads, requiring mutual authentication for command-like packets, and running the service with minimal privileges. Additionally, the vendor should provide a firmware update that corrects the parsing and authentication logic.