CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the system
call in the file /web/MANGA/cgi-bin/api.cgi
for firmware version 6.3.5 at offset 0x4bddb8.
[
{
"cpes": [
"cpe:2.3:o:peplink:surf_soho_firmware:6.3.5:*:*:*:*:*:*:*"
],
"vendor": "peplink",
"product": "surf_soho_firmware",
"versions": [
{
"status": "affected",
"version": "6.3.5"
}
],
"defaultStatus": "unknown"
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total