Command injection in KAON AR2140 routers

Vulnerability

CVE-2024-3659 is a shell command injection vulnerability in the firmware of KAON AR2140 routers, classified as CWE-77 (Improper Neutralization of Special Elements used in a Command). The flaw resides in one of the router's endpoints and is present in firmware versions from 3.2.46 up to, but not including, 4.2.16. Older versions (below 3.2.46) were not tested but may also be affected [1], [2].

Exploitation

An attacker must already have access to the administrative portal of the router. With that access, they can send a crafted request to the vulnerable endpoint, which does not properly sanitize special shell characters, allowing injection of arbitrary operating system commands [1], [2].

Impact

Successful exploitation enables the attacker to execute arbitrary shell commands on the router's underlying operating system. This gives the attacker high-privileged control over the device, potentially allowing full compromise of network traffic, device configuration, and connected systems [1], [2].

Mitigation

KAON released firmware version 4.2.16 which fixes the vulnerability. Users are advised to update to this version or later. For routers still running versions prior to 4.2.16, the only workaround is to restrict access to the administrative portal to trusted users only, as network-level filtering cannot fully mitigate the issue. No other public advisory or KEV listing is available [1], [2].