CVE-2024-28354

Published: Mar 15, 2024Modified: Apr 1, 2025

10.0

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 6.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in the apply.cgi interface, thereby gaining root shell privileges.

Affected (1)

Products: Trendnet: Tew 827dru Firmware

1 product

Tew 827dru Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Trendnet Tew 827dru Firmware	Version 2.10b01

Running on/with	Platform Versions
Trendnet Tew 827dru	All versions

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://warp-desk-89d.notion.site/TEW-827DRU-c732df50b2454ecaa5451b02f3adda6a

Source: cve@mitre.org

ExploitThird Party Advisory

https://warp-desk-89d.notion.site/TEW-827DRU-c732df50b2454ecaa5451b02f3adda6a

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.