CVE-2023-43891

Vulnerability

Netis N3Mv2-V1.0.1.865 router firmware contains a command injection vulnerability in the "Changing Username and Password" function (FUN_00408dd0). The function uses RunSystemCmd with user-supplied username and password strings without proper sanitization, allowing an attacker to inject arbitrary commands. The affected version is Netis N3Mv2-V1.0.1.865 [1].

Exploitation

An attacker with network access to the router's web interface can send a crafted HTTP request to the password change endpoint. By embedding command separators (e.g., ;, |, or backticks) in the username or password fields, the injected command is executed by the router. No prior authentication is required as the vulnerable function is accessible without login [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands with root privileges on the router. This can lead to full device compromise, including data exfiltration, installation of malware, and use of the router as a pivot for further network attacks [1].

Mitigation

As of the publication date, no official patch has been released by Netis. Users are advised to restrict remote access to the router's web interface, change default credentials, and monitor for firmware updates from the vendor. If possible, disable the password change feature until a fix is available [1].