Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-6558

A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed.

Published

2018-07-13T20:29:00.847

Last Modified

2024-11-21T02:56:21.187

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

6.4

Weaknesses
  • Type: Secondary
    CWE-77
  • Type: Primary
    CWE-77
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System asus rp-ac52_firmware ≤ 1.0.1.1s Yes
Hardware asus rp-ac52 - No
Operating System asus ea-n66_firmware - Yes
Hardware asus ea-n66 - No
Operating System asus rp-n12_firmware - Yes
Hardware asus rp-n12 - No
Operating System asus rp-n14_firmware - Yes
Hardware asus rp-n14 - No
Operating System asus rp-n53_firmware - Yes
Hardware asus rp-n53 - No
Operating System asus rp-ac56_firmware - Yes
Hardware asus rp-ac56 - No
Operating System asus wmp-n12_firmware - Yes
Hardware asus wmp-n12 - No
References