CVE-2024-48441

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 24, 2024 / Updated: 26d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A command injection vulnerability was discovered in Wuhan Tianyu Information Industry Co., Ltd Tianyu CPE Router CommonCPExCPETS_v3.2.468.11.04_P4, specifically in the component at_command.asp.

Impact

This vulnerability allows an attacker with access to the adjacent network to execute arbitrary commands on the affected system without requiring any privileges or user interaction. The impact is severe, with potential for high compromise of confidentiality, integrity, and availability of the system. Attackers could potentially gain full control over the router, intercept or modify network traffic, and use the compromised device as a foothold for further attacks on the network.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Based on the provided information, there is no mention of an available patch for this vulnerability.

Mitigation

While no specific mitigation is mentioned, general recommendations for command injection vulnerabilities include: 1. Updating the router firmware to the latest version if a patch becomes available. 2. Implementing strong network segmentation to limit access to the vulnerable device. 3. Monitoring for suspicious activities or unauthorized access attempts. 4. Disabling or restricting access to the vulnerable component (at_command.asp) if possible. 5. Implementing strong input validation and sanitization mechanisms to prevent command injection attacks.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48441

Oct 24, 2024 at 6:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48441. See article

Oct 24, 2024 at 6:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 24, 2024 at 6:22 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 25, 2024 at 10:07 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 25, 2024 at 8:40 PM / nvd
Static CVE Timeline Graph

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Security Bulletin 30 Oct 2024 - Cyber Security Agency of Singapore
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute ...
CVE-2024-48441
High Severity Description Wuhan Tianyu Information Industry Co., Ltd Tianyu CPE Router CommonCPExCPETS_v3.2.468.11.04_P4 was discovered to contain a command injection vulnerability via the component at_command.asp. Read more at https://www.tenable.com/cve/CVE-2024-48441
NA - CVE-2024-48441 - Wuhan Tianyu Information Industry Co., Ltd...
Wuhan Tianyu Information Industry Co., Ltd Tianyu CPE Router CommonCPExCPETS_v3.2.468.11.04_P4 was discovered to contain a command injection vulnerability via the component at_command.asp.
CVE-2024-48441 | Wuhan Tianyu Information Industry CPE Router 3.2.468.11.04 at_command.asp command injection
A vulnerability was found in Wuhan Tianyu Information Industry CPE Router 3.2.468.11.04 . It has been rated as critical . This issue affects some unknown processing of the file at_command.asp . The manipulation leads to command injection. The identification of this vulnerability is CVE-2024-48441 . Access to the local network is required for this attack to succeed. There is no exploit available.
CVE-2024-48441
Wuhan Tianyu Information Industry Co., Ltd Tianyu CPE Router CommonCPExCPETS_v3.2.468.11.04_P4 was discovered to contain a command injection vulnerability via the component...
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Adjacent_network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI