Vulnerability Details : CVE-2018-10697
An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
Exploit prediction scoring system (EPSS) score for CVE-2018-10697
Probability of exploitation activity in the next 30 days: 0.65%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 79 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-10697
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-10697
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-10697
-
https://seclists.org/bugtraq/2019/Jun/8
Bugtraq: Newly releases IoT security issuesMailing List;Third Party Advisory
-
https://github.com/samuelhuntley/Moxa_AWK_1121/blob/master/Moxa_AWK_1121
Moxa_AWK_1121/Moxa_AWK_1121 at master · samuelhuntley/Moxa_AWK_1121 · GitHubExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/153223/Moxa-AWK-3121-1.14-Information-Disclosure-Command-Execution.html
Moxa AWK-3121 1.14 Information Disclosure / Command Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2018-10697
- cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*