CVE-2023-31198

Vulnerability

An OS command injection vulnerability (CWE-78) exists in the administrative web interface of Inaba Denki Sangyo Wi-Fi AP UNIT products. Affected versions are: AC-PD-WAPU v1.05_B04 and earlier, AC-PD-WAPUM v1.05_B04 and earlier, AC-PD-WAPU-P v1.05_B04P and earlier, AC-PD-WAPUM-P v1.05_B04P and earlier, AC-WAPU-300 v1.00_B07 and earlier, AC-WAPUM-300 v1.00_B07 and earlier, AC-WAPU-300-P v1.00_B07 and earlier, and AC-WAPUM-300-P v1.00_B07 and earlier [1]. The flaw allows injection of arbitrary system commands through specially crafted input parameters accessible to authenticated administrative users.

Exploitation

An attacker must first authenticate with administrative privileges to the device's management interface. Once authenticated, the attacker sends a specially crafted HTTP request containing operating system commands within the vulnerable parameter [1]. No user interaction beyond normal administrator operations is required.

Impact

Successful exploitation grants the attacker the ability to execute arbitrary OS commands with the privileges of the web server process, typically root or a highly privileged user [1]. This leads to full compromise of the device (confidentiality, integrity, availability), potentially allowing the attacker to install malware, exfiltrate network traffic, or pivot to internal networks.

Mitigation

The developer has announced that these products are end-of-life and no patches will be provided [1]. Users are advised to apply workarounds such as restricting network access to the management interface via firewall rules and disabling remote management if not required. The vendor recommends replacing the affected devices with supported alternatives.