CVE-2023-43890

Vulnerability

The Netis N3Mv2 router firmware version V1.0.1.865 contains a command injection vulnerability in the diagnostic tools page, specifically in the ping and traceroute functions. The affected code uses a check that rejects input containing spaces, |, ;, or & characters, but the filter can be bypassed because it does not block other command injection techniques such as backticks or $() substitution. The vulnerability resides in the function FUN_0040bd60 which processes the IpAddr parameter [1].

Exploitation

An attacker must have administrative access to the router's web interface. The attacker can craft a HTTP request to the diagnostic tools page with a payload in the IpAddr field that bypasses the filter (e.g., using backticks or $()). The application then passes the unsanitized input directly into a ping or traceroute command executed via system() [1].

Impact

Successful exploitation allows the authenticated attacker to execute arbitrary OS commands on the router as the root user, leading to full compromise of the device. This can result in unauthorized network access, data exfiltration, or using the device as a pivot point [1].

Mitigation

As of the published advisory [1], no official firmware patch has been released by Netis. Administrators should restrict access to the web management interface, disable remote management if possible, and monitor for anomalous traffic. The affected version is Netis N3Mv2-V1.0.1.865. Users should check the vendor's website for future firmware updates [1].