Description
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Advantech / EKI-15210 – 1.21
- Advantech / EKI-15220 – 1.21
- Advantech / EKI-15240 – 1.21
References
- MISChttps://www.advantech.com/en/support/details/firmware?id=1-1J9BED3
- MISChttps://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL
- MISChttps://www.advantech.com/en/support/details/firmware?id=1-1J9BECT
- MISChttps://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/
- MAILING_LISThttp://seclists.org/fulldisclosure/2023/May/4
- EXPLOIThttp://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html