Vulnerabilities > CVE-2018-16752 - Insecure Default Initialization of Resource vulnerability in Linknet-Usa Lw-N605R Firmware 12.20.2.1486

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

linknet-usa

CWE-1188

critical

exploit available

NVD

Published: 2018-09-20

Updated: 2019-10-03

Summary

LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.

Vulnerable Configurations

Part	Description	Count
OS	Linknet-Usa Linknet USA LW N605R Firmware 12.20.2.1486	1
Hardware	Linknet-Usa Linknet USA LW N605R -	1

Common Weakness Enumeration (CWE)

CWE-1188 - Insecure Default Initialization of Resource

Exploit-Db

description	LW-N605R 12.20.2.1486 - Remote Code Execution. Webapps exploit for Hardware platform
file	exploits/hardware/webapps/45351.py
id	EDB-ID:45351
last seen	2018-10-07
modified	2018-09-10
platform	hardware
port
published	2018-09-10
reporter	Exploit-DB
source	https://www.exploit-db.com/download/45351/
title	LW-N605R 12.20.2.1486 - Remote Code Execution
type	webapps

Packetstorm

data source	https://packetstormsecurity.com/files/download/149297/LW-N605R.txt
id	PACKETSTORM:149297
last seen	2018-09-11
published	2018-09-10
reporter	Nassim Asrir
source	https://packetstormsecurity.com/files/149297/LW-N605R-Remote-Code-Execution.html
title	LW-N605R Remote Code Execution

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References