CVE-2020-24054

Vulnerability

The Moog EXO Series EXVF5C-2 and EXVP7C2-3 units include a statusbroadcast command in their administration console that spawns a given process repeatedly at a configurable interval as root. The command is designed to accept only a path to a binary without arguments; however, this restriction can be bypassed using shell variable injection, such as ${IFS} to separate arguments. This allows an attacker to execute arbitrary commands as root on the affected units [1].

Exploitation

An attacker with access to the administration console (e.g., via network connectivity and valid credentials, or by leveraging other vulnerabilities such as hardcoded credentials or authentication bypass) can issue the statusbroadcast command with a crafted path that includes shell variables like ${IFS} to inject additional arguments. For example, specifying a path like /bin/sh${IFS}-c${IFS}id would execute the id command as root. No user interaction beyond issuing the command is required [1].

Impact

Successful exploitation grants the attacker arbitrary command execution with root privileges on the affected Moog EXO unit. This leads to full compromise of the device, including the ability to modify system files, install malware, exfiltrate data, or pivot to other network resources [1].

Mitigation

As of the publication date (2020-08-21), no official patch or firmware update has been disclosed by Moog for this vulnerability. Users should restrict network access to the administration console to trusted hosts only, apply the principle of least privilege for administrative accounts, and monitor for vendor updates. If available, upgrading to a fixed firmware version is recommended [1].