CVE-2024-50365 HIGH

CVE-2024-50365

Vendor Advantech

Product EKI-6333AC-2G

Weakness CWE-78

Published November 26, 2024

Last update November 26, 2024

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "lan_apply" API which are not properly sanitized before being concatenated to OS level commands.

Key dates

02Disclosure timeline

November 26, 2024 CVE published

November 26, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-50365

Related vulnerabilities

Identifiers

CVE CVE-2024-50365

CWE CWE-78

CVSS 7.2 / HIGH

Affected versions

Vendor Advantech

Product EKI-6333AC-2G

Affected ≤ <= 1.6.3

Vendor Advantech

Product EKI-6333AC-2GD

Affected ≤ <= 1.6.3

Vendor Advantech

Product EKI-6333AC-1GPO

Affected ≤ <= 1.2.1

CVE-2024-50365

01Description

02Disclosure timeline

03References

04Related CVE