Share: Email | Twitter

ID

VDE-2024-032

Published

2024-07-03 11:00 (CEST)

Last update

2024-07-03 15:33 (CEST)

Vendor(s)

Helmholz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
REX 100 <= 2.2.11

Summary

There exists a vulnerability in all REX 100 devices with firmware <= 2.2.11 that allows an authenticated attacker to execute arbitrary system commands via GET requests.

Update: 03.07.2024 3:30pm 

In section Reported by Sebastian Dietz (CyberDanube) was added.


Last Update:

30. August 2024 09:24

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')  (CWE-78) 

Summary

A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command.


Impact

See CVE description.

Solution

Mitigation

As this is an authenticated exploit, you can mitigate it by making sure that no malicious actor can login to a vulnerable device. 

Remediation

Update to latest version: 2.2.13

Reported by

CERT@VDE coordinated with Helmholz

Reported by Sebastian Dietz (CyberDanube)