A critical remote command injection vulnerability has been identified in Shiguangwu sgwbox products. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on an affected device by sending a specially crafted request, potentially leading to a full system compromise, data theft, or further network intrusion.

The vulnerability is a command injection flaw within the DOCKER Feature component. Specifically, an unknown function in the /usr/sbin/http_eshell_server binary fails to properly sanitize user-supplied input to the params argument. A remote, unauthenticated attacker can craft a malicious request containing arbitrary OS commands within this argument. When the server processes this request, the injected commands are executed on the underlying operating system with the privileges of the server process, leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk to the organization. Successful exploitation could lead to a complete compromise of the affected sgwbox device, allowing an attacker to steal sensitive data, disrupt critical services, or install malicious software. The compromised device could then be used as a foothold to launch further attacks against the internal network, significantly expanding the scope of the breach and potentially leading to substantial financial and reputational damage.

Immediate Action: The primary recommendation is to update affected Shiguangwu sgwbox products to the latest version that addresses this vulnerability. If a patch is available, apply it immediately. Following any update, continue to monitor for exploitation attempts and review access logs for signs of compromise.

Proactive Monitoring: Actively monitor logs associated with the /usr/sbin/http_eshell_server process for any unusual or malformed requests, specifically focusing on the contents of the params argument for shell metacharacters (e.g., |, &, ;, $). Implement network traffic analysis to detect anomalous outbound connections from affected devices. Monitor for unexpected shell processes (e.g., sh, bash, wget, curl) being spawned by the server process.

Compensating Controls: If patching cannot be performed immediately, or if a patch is not available due to the vendor's lack of response, implement the following controls:

• Restrict network access to the device's management interface to a minimal set of trusted IP addresses using a firewall or Access Control Lists (ACLs).
• If possible, disable the DOCKER Feature or the http_eshell_server service if it is not essential for business operations.
• Place the device behind a Web Application Firewall (WAF) with rules specifically designed to detect and block command injection attempts.

Public Exploit Available: true

Due to the critical severity (CVSS 9.8), remote exploitability, and the public availability of an exploit, immediate action is required. We strongly recommend that all affected Shiguangwu sgwbox devices be patched or have compensating controls applied immediately. Given the lack of vendor response, organizations should prioritize isolating these devices from the internet and prepare for the possibility that a patch will not be forthcoming. Although this vulnerability is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion, and it should be treated with the highest priority.