Strike ID:
E20-5l8a2
CVSS:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
False Positive:
t
Variants:
4
Year:
2018

Description

A command injection vulnerability exists in ASUSWRT firmware version 3.0.0.4.382.50624 and earlier. The flaw results from lack of user input validation for HTTP parameters on the appGet.cgi path. By sending a crafted hook parameter, a remote attacker may execute arbitrary OS commands as the root user.

CVE

References

MSB

BID

ExploitDB

Secunia

Security Tracker

Metasploit

ZDI

Google

OSVDB

{}