CVE-2024-5403

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: May 27, 2024 / Updated: 5mo ago

010
CVSS 7.2EPSS 0.05%High
CVE info copied to clipboard

Summary

ASKEY 5G NR Small Cell fails to properly filter user input for certain functionality, allowing remote attackers with administrator privilege to execute arbitrary system commands on the remote server.

Impact

Remote attackers with administrator privileges could execute arbitrary commands on the affected system, potentially leading to complete system compromise. This could allow attackers to steal sensitive data, disrupt services, install malware, or gain persistent remote access.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Vendor has not released patch information yet, but updates are expected to address this vulnerability.

Mitigation

Apply vendor patches or updates as soon as they become available. Restrict administrator access to only trusted and authorized personnel. Implement input validation and sanitization on user inputs. Follow principle of least privilege.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-5403

May 27, 2024 at 7:15 AM
CVSS

A CVSS base score of 7.2 has been assigned.

May 27, 2024 at 7:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-5403. See article

May 27, 2024 at 7:24 AM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.05% (Percentile: 20%)

May 27, 2024 at 9:43 AM
Trending

This CVE started to trend in security discussions

May 27, 2024 at 10:52 AM
Trending

This CVE stopped trending in security discussions

May 30, 2024 at 7:27 AM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 29, 2024 at 11:58 AM
Static CVE Timeline Graph

Affected Systems

Askey
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

ASKEY 5G NR Small Cell - OS Command Injection
ASKEY 5G NR Small Cell - OS Command Injection
TVN List
TVN-202406018 udn News App - Insecure Data Storage CVE-2024-6295 TVN-202406017 udn News App - Sensitive Information Exposure CVE-2024-6294 TVN-202406016 Openfind MailGates and MailAudit - OS Command Injection CVE-2024-6048 TVN-202406015 GeoVision EOL device - OS Command Injection CVE-2024-6047 TVN-202406013 D-Link router - Hidden Backdoor CVE-2024-6045 TVN-202406012 D-Link router - Arbitrary File Reading CVE-2024-6044 TVN-202406011 ASUS Router - Upload arbitrary firmware CVE-2024-3912 TVN-202406010 Soar Cloud HR Portal - Cleartext Transmission of Sensitive Information CVE-2024-5996 TVN-202406009 Soar Cloud HR Portal - Insufficient Session Expiration CVE-2024-5995 TVN-202406008 ASUS Download Master - Buffer Overflow CVE-2024-31163 TVN-202406007 ASUS Download Master - OS Command Injection CVE-2024-31162 TVN-202406006 ASUS Download Master - Arbitrary File Upload CVE-2024-31161 TVN-202406005 ASUS Download Master - Stored XSS CVE-2024-31160 TVN-202406004 ASUS Download Master - Reflected XSS CVE-2024-31159 TVN-202406003 ASUS Router - Improper Authentication CVE-2024-3080 TVN-202406002 ASUS Router - Stack-based Buffer Overflow CVE-2024-3079 TVN-202406001 DigiWin EasyFlow .NET - SQL Injection CVE-2024-5311 TVN-202405006 MinMax CMS - Hidden Functionality CVE-2024-5514 TVN-202405005 ASKEY 5G NR Small Cell - OS Command Injection CVE-2024-5403 TVN-202405004 Openfind Mail2000 - OS Command Injection CVE-2024-5400 (Feed generated with FetchRSS )
US-CERT Vulnerability Summary for the Week of May 27, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of May 27, 2024
Improper privilege management vulnerability in Astrotalks affecting version 10/0 SQL injection vulnerability in Astrotalks affecting version 10/03/2023.
Vulnerability Summary for the Week of May 27, 2024
Vulnerability Summary for the Week of May 27, 2024 aschloder Jun 03, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info ASKEY--5G NR Small Cell ASKEY 5G NR Small Cell fails to properly filter user input for certain functionality, allowing remote attackers with administrator privilege to execute arbitrary system commands on the remote server. 2024-05-27 7.2 CVE-2024-5403 twcert@cert.org.tw Astrotalks--Astrotalks SQL injection vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability could allow an authenticated local user to send a specially crafted SQL query to the 'searchString' parameter and retrieve all information stored in the database. 2024-05-31 8.8 CVE-2024-5523 cve-coordination@incibe.es Astrotalks--Astrotalks Improper privilege management vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability allows a local user to access the application as an administrator without any provided credentials, allowing the attacker to perform administrative actions. 2024-05-31 8.3 CVE-2024-5525 cve-coordination@incibe.es AutomationDirect--P3-550E A leftover debug code vulnerability exists in the Telnet Diagnostic Interface functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted series of network requests can lead to unauthorized access. An attacker can send a sequence of requests to trigger this vulnerability. 2024-05-28 9.8 CVE-2024-21785 talos-cna@cisco.com talos-cna@cisco.com AutomationDirect--P3-550E A write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to an arbitrary write.
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI