critical security vulnerability closed in this firmware version
Summary
There exists a vulnerability in all REX 100 devices with firmware
Update: 03.07.2024 3:30pm
In section Reported by Sebastian Dietz (CyberDanube) was added.
CVE ID CVE-2024-5672
Last Update: 7. June 2024 10:42
Severity 7.2 ( CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Weakness Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
(CWE-78)
Summary
A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command.
Impact See CVE description.
Solution Mitigation
As this is an authenticated exploit, you can mitigate it by making sure that no malicious actor can login to a vulnerable device.
*Remediation Update to latest version: 2.2.13*