CVE-2018-19660

Vulnerability

An authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware versions before 2.2 Build_18082311. The flaw resides in the /goform/webSettingProfileSecurity endpoint, which does not properly sanitize user-supplied input before passing it to an OS command. An attacker with valid authentication credentials can exploit this by sending a specially crafted HTTP POST request, leading to arbitrary command execution as root [1].

Exploitation

An attacker must have a valid authenticated session on the device. The exploit is carried out by sending a crafted HTTP POST request to the /goform/webSettingProfileSecurity endpoint with a payload embedded in the request parameters. No user interaction is required beyond the initial authentication. The attack can be performed remotely over the network [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges. This results in full compromise of the device, including the ability to read, modify, or delete sensitive data, install malware, pivot to other network devices, and disrupt operations. The confidentiality, integrity, and availability of the affected device are entirely lost [1].

Mitigation

The vendor released firmware version 2.2 Build_18082311 to address this vulnerability. Users should immediately update to this version or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].