CVE-2024-10119 – CVE-2024-10119 is a critical OS command injecti... (How to Fix)

Q: What is the severity of CVE-2024-10119?

CVE-2024-10119 has a CVSS score of 9.8 (CRITICAL). CVE-2024-10119 is a critical OS command injection vulnerability in SECOM WRTM326 wireless routers that allows unauthenticated remote attackers to execute arbitrary system commands. This affects all organizations using these routers, potentially giving attackers full control over the device. The vulnerability stems from improper input validation of a specific parameter in router requests.

📋 TL;DR

CVE-2024-10119 is a critical OS command injection vulnerability in SECOM WRTM326 wireless routers that allows unauthenticated remote attackers to execute arbitrary system commands. This affects all organizations using these routers, potentially giving attackers full control over the device. The vulnerability stems from improper input validation of a specific parameter in router requests.

💻 Affected Systems

Products:

SECOM WRTM326 Wireless Router

Versions: All versions prior to patch

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default configurations; routers with WAN management enabled are most vulnerable.

📦 What is this software?

Wrtm326 Firmware by Zte

View all CVEs affecting Wrtm326 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, credential theft, network pivoting to internal systems, and router bricking.

🟠

Likely Case

Router takeover for botnet recruitment, DNS hijacking, credential harvesting, and network traffic interception.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: LOW - The vulnerability requires remote access, though internal attackers could exploit if they reach the management interface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No public PoC yet, but CVSS 9.8 with unauthenticated remote execution suggests weaponization is likely. Attack requires crafted HTTP requests to vulnerable parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with SECOM for specific firmware version

Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html

Restart Required: Yes

Instructions:

1. Check SECOM website for firmware updates. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent external access to router management interface

Login to router admin → Security/Remote Management → Disable WAN/Remote Access

Network Segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block external access to router management ports (typically 80, 443, 8080)

🧯 If You Can't Patch

Place router behind firewall with strict inbound rules blocking all external access to management interfaces
Implement network monitoring for unusual outbound connections from router and unexpected configuration changes

🔍 How to Verify

Check if Vulnerable:

Check router firmware version against SECOM's patched version list. Monitor for unexpected processes or configuration changes.

Check Version:

Login to router admin interface → System Status/About → Check Firmware Version

Verify Fix Applied:

Verify firmware version matches patched version from SECOM advisory. Test that crafted requests no longer execute commands.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests with command injection patterns
Unexpected system process execution in router logs
Configuration changes from unknown sources

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs from router
DNS queries to suspicious domains from router

SIEM Query:

source="router_logs" AND (http_request="*cmd=*" OR http_request="*;*" OR http_request="*|*" OR http_request="*`*" OR process="unexpected_process")

📊 Metadata

CVE ID: CVE-2024-10119

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: October 18, 2024

Last Updated: November 1, 2024

🔗 References

https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-8156-81c9d-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10119, you might also want to check these: