CVE-2024-48440

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 24, 2024 / Updated: 26d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A command injection vulnerability was discovered in the Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18. The vulnerability is specifically located in the component at_command.asp.

Impact

This vulnerability allows an attacker with access to an adjacent network to execute arbitrary commands on the affected router without requiring any user interaction. The impact is severe, as it can lead to complete compromise of the router's confidentiality, integrity, and availability. An attacker could potentially gain full control over the router, intercept or modify network traffic, and use the router as a pivot point for further attacks on the network.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information provided, there is no mention of an available patch for this vulnerability. The security team should closely monitor for any updates or patches released by Shenzhen Tuoshi Network Communications Co.,Ltd for the affected 5G CPE Router model.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Restrict access to the router's management interface to trusted IP addresses only. 2. Implement strong network segmentation to isolate the affected routers from critical network assets. 3. Monitor for any suspicious activities or unauthorized access attempts on these routers. 4. If possible, consider replacing the affected routers with alternative models that are not vulnerable to this specific command injection issue. 5. Regularly check for firmware updates from the manufacturer and apply them promptly when available. 6. Implement additional network security measures such as intrusion detection/prevention systems (IDS/IPS) to monitor for potential exploitation attempts.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48440

Oct 24, 2024 at 6:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48440. See article

Oct 24, 2024 at 6:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 24, 2024 at 6:22 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 25, 2024 at 10:07 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 25, 2024 at 8:40 PM / nvd
Static CVE Timeline Graph

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Security Bulletin 30 Oct 2024 - Cyber Security Agency of Singapore
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute ...
CVE-2024-48440
High Severity Description Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 was discovered to contain a command injection vulnerability via the component at_command.asp. Read more at https://www.tenable.com/cve/CVE-2024-48440
NA - CVE-2024-48440 - Shenzhen Tuoshi Network Communications Co.,Ltd...
Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 was discovered to contain a command injection vulnerability via the component at_command.asp.
CVE-2024-48440 | Shenzhen Tuoshi Network Communications 5G CPE Router NR500-EA 3.2.2543.12.18 at_command.asp command injection
A vulnerability was found in Shenzhen Tuoshi Network Communications 5G CPE Router NR500-EA 3.2.2543.12.18 . It has been declared as critical . This vulnerability affects unknown code of the file at_command.asp . The manipulation leads to command injection. This vulnerability was named CVE-2024-48440 . Access to the local network is required for this attack. There is no exploit available.
CVE-2024-48440
Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 was discovered to contain a command injection vulnerability via the component...
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Adjacent_network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI