CVE-2021-26724 : OS Command Injection vulnerability when changing date settings or hostname using

OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions.

Published 2021-02-22 21:15:20

Updated 2024-05-28 11:15:09

Source Nozomi Networks Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2021-26724

Nozominetworks » Central Management Control
Versions from including (>=) 19.0.0 and up to, including, (<=) 19.0.12
cpe:2.3:a:nozominetworks:central_management_control:*:*:*:*:*:*:*:*
Matching versions
Nozominetworks » Central Management Control
Versions from including (>=) 20.0.0.0 and before (<) 20.0.7.4
cpe:2.3:a:nozominetworks:central_management_control:*:*:*:*:*:*:*:*
Matching versions
Nozominetworks » Guardian
Versions from including (>=) 19.0.0 and before (<) 19.0.12
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
Matching versions
Nozominetworks » Guardian
Versions from including (>=) 20.0.0.0 and before (<) 20.0.7.4
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-26724

EPSS FAQ

5.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-26724

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	Nozomi Networks Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-26724

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- prodsec@nozominetworks.com (Secondary)

References for CVE-2021-26724

https://security.nozominetworks.com/NN-2021:1-01

NN-2021:1-01 - Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4 - CVE-2021-26724 | Product Security Incident Response Portal
Vendor Advisory

Jump to

Vulnerability Details : CVE-2021-26724

Products affected by CVE-2021-26724

Exploit prediction scoring system (EPSS) score for CVE-2021-26724

CVSS scores for CVE-2021-26724

CWE ids for CVE-2021-26724

References for CVE-2021-26724