Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by appending shell commands to the Speed-Measurement feature, enabling unauthorized code execution.
The vulnerability consists of insufficient input data validation (CWE-20) in the Speed-Measurement function. An attacker can inject additional shell commands into parameters passed to this function. As a result of this command injection mechanism, the passed commands are executed by the operating system with application privileges, without any authentication.
A remote, unauthenticated attacker can execute arbitrary code on the attacked system, which may lead to full system compromise, data breach, configuration modification, or disruption of system availability.
Patches available from the vendor should be applied according to the references (see: https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273)
Versions indicated in vendor references (detailed information available in NCSC-2024-0273 message)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H