A critical OS command injection vulnerability in the MeiG Smart FORGE_SLT711 device allows unauthenticated remote attackers to execute arbitrary system commands.

This is an OS command injection vulnerability residing in the /action/SetRemoteAccessCfg endpoint of the GoAhead web server, which fails to properly sanitize user input before passing it to the underlying system shell.

With a CVSS score of 9.1, this vulnerability poses a severe threat, enabling attackers to gain full control over the device at the operating system level. This compromise can lead to data exfiltration, denial of service, or the use of the device as a botnet node within the local network.

Immediate Action: Update the device firmware to the latest available version provided by the manufacturer.

Proactive Monitoring: Monitor the device for unexpected outbound traffic or anomalous processes running on the system.

Compensating Controls: Restrict access to the device's web management interface via firewall rules to ensure it is not reachable from untrusted networks or the public internet.

Public Exploit Available: No

Organizations utilizing the MeiG Smart FORGE_SLT711 should treat this as a high-priority update. Ensure that all devices are patched and that network-level controls are in place to prevent unauthenticated access to the management interfaces.