CVE-2019-9507 HIGH

CVE-2019-9507: The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to arbitrary remote code execution

Vendor Vertiv
Product Avocent UMG-4000
Weakness CWE-95 · Eval injection
Published March 30, 2020
Last update September 17, 2024

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to command injection because the application incorrectly neutralizes code syntax before executing. Since all commands within the web application are executed as root, this could allow a remote attacker authenticated with an administrator account to execute arbitrary commands as root.

Key dates

02Disclosure timeline

March 30, 2020 CVE published
September 17, 2024 Record updated