Vulnerability Description
Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gargoyle-Router | Gargoyle | >= 1.5.0, <= 1.5.11 |
Related Weaknesses (CWE)
References
- https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/ExploitThird Party Advisory
- https://packetstorm.news/files/id/132149Exploit
- https://www.gargoyle-router.com/Product
- https://www.vulncheck.com/advisories/gargoyle-authenticated-os-command-executionThird Party Advisory
- https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/ExploitThird Party Advisory
FAQ
What is CVE-2015-10145?
CVE-2015-10145 is a vulnerability with a CVSS score of 8.8 (HIGH). Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input ...
How severe is CVE-2015-10145?
CVE-2015-10145 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-10145?
Check the references section above for vendor advisories and patch information. Affected products include: Gargoyle-Router Gargoyle.