CVE-2024-11652
📋 TL;DR
This critical vulnerability in EnGenius networking devices allows remote attackers to execute arbitrary commands by manipulating the 'https_enable' parameter in the /admin/sn_package/sn_https endpoint. Attackers can gain full control of affected devices without authentication. Organizations using EnGenius ENH1350EXT, ENS500-AC, or ENS620EXT devices are at risk.
💻 Affected Systems
- EnGenius ENH1350EXT
- EnGenius ENS500-AC
- EnGenius ENS620EXT
📦 What is this software?
Enh1350ext Firmware by Engeniustech
Ens500 Ac Firmware by Engeniustech
Ens620ext Firmware by Engeniustech
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use devices as botnet nodes.
Likely Case
Remote code execution leading to device takeover, credential theft, network reconnaissance, and potential lateral movement within the network.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.
🎯 Exploit Status
Exploit details are publicly available and trivial to weaponize. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Contact EnGenius support for firmware updates. Consider replacing devices if no patch is forthcoming.
🔧 Temporary Workarounds
Disable Web Administration Interface
allPrevent access to the vulnerable endpoint by disabling the web administration interface entirely
Network Access Control
linuxRestrict access to device administration interfaces using firewall rules
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict firewall rules preventing all inbound connections
- Implement network monitoring and IDS/IPS rules to detect exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if device responds to HTTP requests on /admin/sn_package/sn_https with https_enable parameter. Use curl: curl -X POST 'http://device-ip/admin/sn_package/sn_https' --data 'https_enable=test'Check Version:
Check web interface login page or use SNMP: snmpwalk -v2c -c public device-ip 1.3.6.1.2.1.1.1Verify Fix Applied:
Test if command injection is possible by attempting exploitation with safe payloads. Verify firmware version is newer than November 18, 2024.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /admin/sn_package/sn_https
- Commands containing shell metacharacters in https_enable parameter
- Unexpected process execution or configuration changes
Network Indicators:
- HTTP POST requests to vulnerable endpoint with suspicious payloads
- Outbound connections from devices to unknown IPs
- Unusual traffic patterns from device management interfaces
SIEM Query:
source="device-logs" AND (url="/admin/sn_package/sn_https" AND method="POST" AND (param="https_enable" AND value MATCHES "[;&|`$()]"))