The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HKerlink Keros
OSKerlink5.0 – 5.12 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Firewall
CWE
Related vulnerabilities
CVE-2024-32384MEDIUM6.8ten sam produkt
Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without...
CVE-2024-32388MEDIUM5.3ten sam produkt
Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially c...