CVE-2017-8333
Description
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in passing commands to a "popen" API in the function and thus result in command injection on the device. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "dest" is extracted at address 0x00420FC4. The POST parameter "dest is concatenated in a route add command and this is passed to a "popen" function at address 0x00421220. This allows an attacker to provide the payload of his/her choice and finally take control of the device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Securifi Almond devices allows remote unauthenticated attackers to execute arbitrary commands via a crafted POST destination parameter.
Vulnerability
Securifi Almond, Almond+, and Almond 2015 devices running firmware version AL-R096 are vulnerable to command injection. The goahead binary contains the vulnerable function sub_00420F38 which processes POST parameters used to add new routes. The dest parameter extracted at address 0x00420FC4 is concatenated directly into a route add command and passed to a popen API at address 0x00421220. No sanitization is performed on the dest value. The vulnerability is documented in reference [1] and [2].
Exploitation
An attacker can send a crafted POST request to the device's web interface, providing a malicious value in the dest parameter. The value is passed unsanitized to a popen call, which executes the command. No authentication is required. The attacker only needs network access to the device's management interface.
Impact
Successful exploitation allows arbitrary command execution on the device with the privileges of the goahead process (typically root). The attacker can fully compromise the device, gaining control over its functions, and potentially use it as a pivot for further attacks on the local network.
Mitigation
No patched firmware version has been released by Securifi as of this writing. Users should isolate the device on a separate network segment, restrict access to the web interface, and monitor for alternative firmware updates or replace the device if possible. The vulnerability may be referenced in future KEV listing if the vendor remains unresponsive.
Citations: [1], [2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Securifi/Almonddescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153227/Securifi-Almond-2015-Buffer-Overflow-Command-Injection-XSS-CSRF.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Securifi_Almond_plus_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.