Share: Email | Twitter

ID

VDE-2024-030

Published

2024-07-03 11:00 (CEST)

Last update

2024-07-03 15:35 (CEST)

Vendor(s)

Red Lion Europe GmbH

Product(s)

Article No° Product Name Affected Version(s)
mbNET.mini <= 2.2.11

Summary

There exists a vulnerability in all mbNET.mini devices with firmware <= 2.2.11 that allows an authenticated attacker to execute arbitrary system commands via GET requests.

Update: 03.07.2024 3:30 pm 

In section Reported by Sebastian Dietz (CyberDanube) was added.


Last Update:

Aug. 30, 2024, 9:24 a.m.

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')  (CWE-78) 

Summary

A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command.


Impact

See CVE description.

Solution

Mitigation

As this is an authenticated exploit, you can mitigate it by making sure that no malicious actor can login to a vulnerable device. 

Remediation

Update to latest version: 2.2.13

Reported by

CERT@VDE coordinated with Red Lion Europe

Reported by Sebastian Dietz (CyberDanube)