Chengdu VEC40G denial of service

Vulnerability

Chengdu VEC40G router firmware version 3.0 contains a command injection vulnerability in the /send_order.cgi endpoint when the parameter is set to restart. The restart parameter accepts a value such as reboot, which is passed directly to a system command without sanitization, allowing an attacker to inject arbitrary commands. The vulnerability exists in the default configuration and does not require any special conditions [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to /send_order.cgi?parameter=restart with a JSON payload containing the restart key and a value that includes malicious command injection (e.g., restart": "reboot; id to execute commands). The attack does not require authentication or any prior access, as demonstrated by the public proof-of-concept [1]. The request can be sent from any network position if the router is reachable.

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary system commands on the router with root privileges, leading to a full device compromise. The attacker can perform denial of service by issuing a reboot command, or escalate to more severe outcomes like data exfiltration, firmware modification, or use of the device in a botnet. The vulnerability impacts device availability and integrity [1].

Mitigation

The vendor (Chengdu) was contacted but did not respond, and no official patch or firmware update has been released as of the publication date (2023-06-12). Users should restrict network access to the router's web interface, block external access to the affected endpoint via firewall rules, or replace the device if continued use poses unacceptable risk. The exploit is publicly available, so immediate action is recommended [1].