CVE-2019-17499

Vulnerability

The setter.xml component of the Common Gateway Interface on Compal CH7465LG cable modem/router devices running firmware version 6.12.18.25-2p4 does not properly sanitize the Target_IP argument passed to the ping command. This allows injection of shell metacharacters, leading to OS command injection as root. The vulnerability resides in the administrative web interface, requiring authenticated access to the CGI endpoint.

Exploitation

An attacker must have valid administrative credentials to access the device's web interface. By crafting a Target_IP parameter that includes shell metacharacters (e.g., ;, |, ` ``), the attacker can append arbitrary OS commands after the ping destination. The device then executes the entire string as a root shell command.

Impact

Successful exploitation grants the attacker remote code execution with root privileges on the device. This enables full compromise of the router/modem, including ability to modify network settings, intercept traffic, install persistent malware, or pivot to other devices on the local network.

Mitigation

As of the publication date (2019-10-11), no official firmware update or patch has been released by Compal. Affected users should restrict administrative access to trusted IPs only, disable remote management if possible, and monitor for vendor updates. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

[1]