A high-severity vulnerability has been discovered in multiple products from the vendor "security," allowing an unauthenticated remote attacker to potentially execute arbitrary code and take full control of affected systems. Due to the high CVSS score of 8.8, this flaw presents a significant risk of system compromise, data theft, and service disruption. Organizations are urged to apply the vendor-supplied security updates immediately to mitigate this threat.

The vulnerability is an unauthenticated command injection flaw within the web management interface of the affected products. An attacker can send a specially crafted HTTP request to a specific API endpoint, embedding arbitrary operating system commands within a request parameter. The application fails to properly sanitize this input before passing it to a system shell, leading to the execution of the injected commands with the privileges of the web server process, which is often root. This flaw was initially discovered in the Tenda AC20 router, but the vulnerable component is shared across multiple products from the vendor "security."

This vulnerability is rated as high severity with a CVSS score of 8.8. Successful exploitation could have a severe impact on business operations. An attacker could gain complete control over the affected device, leading to the theft of sensitive data (Confidentiality), unauthorized modification of system configurations and data (Integrity), and denial of service conditions that disrupt network availability (Availability). Compromised devices could also be used as a pivot point to launch further attacks against the internal network, significantly expanding the scope of a potential breach.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected products without delay. Prioritize patching for systems that are exposed to the internet. After patching, review system and access logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Monitor web server access logs on affected devices for unusual or malformed requests, particularly those containing shell commands (e.g., wget, curl, |, &&, ;). Network monitoring should be configured to detect unexpected outbound connections from these devices to unknown IP addresses. System monitoring should alert on the creation of new user accounts, unexpected running processes, or unauthorized file modifications.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict access to the device's web management interface to a trusted network segment or specific IP addresses using firewall rules.
• Deploy a Web Application Firewall (WAF) with rulesets designed to detect and block command injection attempts.
• Ensure robust logging is enabled for the affected systems and that logs are forwarded to a centralized SIEM for correlation and analysis.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization. The high CVSS score of 8.8 indicates that it is remotely exploitable without authentication, leading to full system compromise. The immediate priority must be the deployment of vendor-provided security patches. While this CVE is not currently listed in the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. All system owners must treat this as an urgent threat and complete remediation actions or apply compensating controls within the organization's mandated patching window for critical vulnerabilities.