Sercomm SCE4255W OS Command Injection Vulnerability in CWMP Client Allowing Root Command Execution
Vulnerability
A command injection vulnerability has been identified in the CWMP client of the Sercomm SCE4255W small cell device, running FreedomFi Englewood firmware prior to DG3934v3@2308041842. The vulnerability allows remote attackers, controlling the ACS endpoint, to execute arbitrary commands as the root user. This is achieved by sending a crafted TR-069 Download URL that is improperly validated and passed into the firmware upgrade process.
Impact
Exploitation of this vulnerability leads to complete compromise of the device, with the attacker gaining root access.
Reproduction
The vulnerability can be reproduced by redirecting the device's TR-069 endpoint to a server that can intercept and modify the CWMP Download request. After powering on the device, it will send an Inform message to the intercepting server. The server can then respond with a crafted Download message that includes a URL with shell metacharacters. When the device processes this response, it will execute the injected command, such as opening a reverse shell.
Remediation
Sercomm has confirmed that this vulnerability has been addressed internally, but no channel exists to deploy fixes to affected devices in the field.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.