Vulnerability Details : CVE-2019-3497
Potential exploit
An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. The tools/ping Ping feature of the Diagnostic Tools component is vulnerable to Remote Command Execution, allowing an attacker to execute arbitrary system commands on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials.
Products affected by CVE-2019-3497
- cpe:2.3:o:indionetworks:unibox_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3497
7.86%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3497
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-3497
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-3497
-
https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-Controller-0.x-3.x/
[0-day] Multiple Root RCE in Unibox Wifi Access Controller 0.x - 3.x · Sahil DharExploit;Third Party Advisory
-
http://seclists.org/fulldisclosure/2019/Jan/23
Full Disclosure: Multiple Root RCE in Unibox Wifi Access Controller 0.x - 3.xExploit;Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-Code-Injection.html
Wifi-soft Unibox 2.x Remote Command / Code Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to