CVE-2021-26724 HIGH

CVE-2021-26724: Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4

Vendor Nozomi Networks
Product Guardian
Weakness CWE-78
Published February 22, 2021
Last update September 17, 2024

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions.

Key dates

02Disclosure timeline

February 22, 2021 CVE published
September 17, 2024 Record updated