ASUSWRT appGet.cgi OS Command Injection

Strike ID:
E20-5l8a2
CVSS:
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
2
Year:
2018

Description

A command injection vulnerability exists in ASUSWRT firmware version 3.0.0.4.382.50624 and earlier. The flaw results from lack of user input validation for HTTP parameters on the 'appGet.cgi' path. By sending a crafted 'hook' parameter, a remote attacker may execute arbitrary OS commands as the 'root' user.

CVE

References