A critical OS command injection vulnerability in SECCN Dingcheng G10 devices allows unauthenticated remote attackers to execute arbitrary system commands and take full control of the appliance.

The vulnerability exists in the qq function within /cgi-bin/session_login.cgi. Improper sanitization of the User argument allows an unauthenticated remote attacker to inject and execute arbitrary operating system commands.

This flaw provides a direct path to total system compromise. Attackers can execute commands with the privileges of the web server, potentially escalating to root, stealing sensitive credentials, or disrupting critical business operations. The CVSS score of 9.8 indicates an extremely high risk.

Immediate Action: Apply the latest firmware update provided by SECCN to patch the vulnerable CGI script. If a patch is unavailable, restrict access to the management interface.

Proactive Monitoring: Monitor web server logs for suspicious characters (e.g., ;, |, &) within the User parameter of requests directed at session_login.cgi.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block OS command injection patterns in HTTP POST/GET parameters.

Public Exploit Available: Yes

With a public exploit available, the urgency to remediate this vulnerability is critical. Organizations using the SECCN Dingcheng G10 must update their devices immediately to prevent unauthenticated attackers from gaining full control of their network appliances.