Chengdu VEC40G Network Detection os command injection

Vulnerability

The Chengdu VEC40G (Flying Star enterprise intelligent online behavior management system) version 3.0 exposes a command injection vulnerability in the network detection functionality. The endpoint /send_order.cgi?parameter=access_detect does not sanitize the COUNT parameter, allowing an attacker to inject arbitrary OS commands by appending a pipe (|) character. Affected version is VEC40G 3.0 as disclosed in reference [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The reference [1] indicates that the device is accessible with default weak credentials (admin/admin123) for the web interface, but the injection point itself does not require prior authentication. The attacker sends a crafted HTTP GET request to the vulnerable CGI with the COUNT parameter set to, for example, 3 | netstat -an (the command from the CVE description) or any desired command. The proof-of-concept is publicly available [1].

Impact

Successful exploitation grants the attacker arbitrary OS command execution on the device with the privileges of the web server (typically root). This leads to full compromise of the appliance, including information disclosure, possibility of persistent backdoor installation, and potential lateral movement within the network. The CVSS score is high (critical) as per the CVE metadata.

Mitigation

As of the publication date (2023-05-04), the vendor (Chengdu) did not respond to disclosure attempts, and no patch or firmware update has been released [1]. The only mitigation is to restrict access to the web interface (e.g., firewall rules) and change the default credentials if the device is still in use. If possible, isolate the device from untrusted networks. The vulnerability is publicly known and likely to be added to exploitation frameworks.