CVE-2019-5072 — HIGH (7.8) — White Hats Nepal

Vulnerability Description

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS2 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Tendacn	Ac9V1.0 Firmware	15.03.05.14_en
Tendacn	Ac1200 Smart Dual-Band Gigabit Wifi	-

Related Weaknesses (CWE)

CWE-78

References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0861ExploitThird Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0861ExploitThird Party Advisory

FAQ

What is CVE-2019-5072?

CVE-2019-5072 is a vulnerability with a CVSS score of 7.8 (HIGH). An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multi...

How severe is CVE-2019-5072?

CVE-2019-5072 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-5072?

Check the references section above for vendor advisories and patch information. Affected products include: Tendacn Ac9V1.0 Firmware, Tendacn Ac1200 Smart Dual-Band Gigabit Wifi.