CVE-2020-23584

Vulnerability

The vulnerability resides in the PingTest parameter of the /diag_tracert_admin.asp endpoint on OPTILINK OP-XT71000N devices with Hardware Version V2.2 and Firmware Version OP_V3.3.1-191028 [1]. The application fails to sanitize user-supplied input, allowing an attacker to inject arbitrary operating system commands by appending a pipe (|) character to the IP-ADDRESS field [1].

Exploitation

An unauthenticated attacker can exploit this by sending a crafted HTTP request to the vulnerable endpoint, passing a malicious IP-ADDRESS value that includes a pipe followed by arbitrary commands [1]. No authentication or prior access is required. The device then executes the injected commands with the privileges of the web server process [1].

Impact

Successful exploitation results in remote code execution on the affected device [1]. An attacker can gain full control over the device, potentially leading to data exfiltration, further network compromise, or denial of service.

Mitigation

As of the publication date (2022-11-23), no official patch or firmware update has been released by OPTILINK [1]. Users should restrict network access to the device's management interface to trusted hosts only, and monitor for vendor updates. If possible, disable remote management or place the device behind a firewall [1].