CVE-2019-3495

Vulnerability

An arbitrary file upload vulnerability exists in the network/mesh/edit-nds.php endpoint of Wifi-soft UniBox controller versions 0.x through 2.x. The endpoint does not properly validate uploaded files, allowing an attacker to upload .php files. Authentication for this component can be bypassed using hardcoded credentials, as disclosed in [1].

Exploitation

An attacker can first bypass authentication by leveraging the hardcoded credentials (e.g., default username/password) to access the administrative interface. Once authenticated, the attacker uploads a malicious .php file via network/mesh/edit-nds.php. The file is then executed on the server.

Impact

Successful exploitation results in remote code execution with root user privileges, leading to full compromise of the UniBox controller. The attacker can execute arbitrary commands, install malware, or pivot to other network resources.

Mitigation

No official patch has been released for this vulnerability. Affected users should restrict network access to the UniBox controller, disable the vulnerable endpoint if possible, and change any default credentials. Consider isolating the device on a segmented network until a fix is available.