CVE-2024-11654 – This critical vulnerability in EnGenius wireles... (How to Fix)

Q: What is the severity of CVE-2024-11654?

CVE-2024-11654 has a CVSS score of 4.7 (MEDIUM). This critical vulnerability in EnGenius wireless access points allows remote attackers to execute arbitrary commands via command injection in the traceroute6 diagnostic function. Attackers can compromise affected devices without authentication, potentially gaining full control. All users of vulnerable EnGenius ENH1350EXT, ENS500-AC, and ENS620EXT devices are affected.

📋 TL;DR

This critical vulnerability in EnGenius wireless access points allows remote attackers to execute arbitrary commands via command injection in the traceroute6 diagnostic function. Attackers can compromise affected devices without authentication, potentially gaining full control. All users of vulnerable EnGenius ENH1350EXT, ENS500-AC, and ENS620EXT devices are affected.

💻 Affected Systems

Products:

EnGenius ENH1350EXT
EnGenius ENS500-AC
EnGenius ENS620EXT

Versions: All versions up to November 18, 2024 (20241118)

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web administration interface's traceroute6 diagnostic function. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network pivoting, credential theft, and disruption of network services.

🟠

Likely Case

Unauthorized command execution leading to device configuration changes, network disruption, or installation of malware for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication, making exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed and the vulnerability requires minimal technical skill to exploit. Remote exploitation without authentication makes this highly attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Monitor EnGenius security advisories for updates.

🔧 Temporary Workarounds

Disable web administration interface

all

Disable the web administration interface if not required, or restrict access to management interfaces

Network segmentation and firewall rules

all

Isolate affected devices in separate network segments and implement strict firewall rules

🧯 If You Can't Patch

Implement strict network access controls to limit access to device management interfaces
Monitor device logs for suspicious traceroute6 activity and command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface at System > Status > Firmware Version. If version date is 20241118 or earlier, device is vulnerable.

Check Version:

No CLI command available. Use web interface: System > Status > Firmware Version

Verify Fix Applied:

No fix available to verify. Monitor for vendor firmware updates.

📡 Detection & Monitoring

Log Indicators:

Unusual traceroute6 requests in web server logs
Suspicious command execution patterns in system logs
Multiple failed authentication attempts followed by traceroute6 requests

Network Indicators:

Unexpected outbound connections from access points
Traffic to suspicious external IPs from management interfaces
Unusual HTTP POST requests to /admin/network/diag_traceroute6

SIEM Query:

source="apache" OR source="nginx" AND (url="/admin/network/diag_traceroute6" AND (method="POST" OR method="GET")) AND (user_agent CONTAINS "curl" OR user_agent CONTAINS "wget" OR user_agent="-")

📊 Metadata

CVE ID: CVE-2024-11654

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: November 25, 2024

Last Updated: February 12, 2025

🔗 References

https://k9u7kv33ub.feishu.cn/wiki/YrKfwHqLjijPeYkMTQfcdhrBnyg?from=from_copylink Exploit,Third Party Advisory
https://vuldb.com/?ctiid.285975 Permissions Required,VDB Entry
https://vuldb.com/?id.285975 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.446637 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11654, you might also want to check these: