CVE-2024-36060
📋 TL;DR
CVE-2024-36060 allows remote attackers to execute arbitrary operating system commands on EnGenius EnStation5-AC devices by injecting shell metacharacters into Ping and Speed Test parameters. This affects EnGenius EnStation5-AC A8J-ENS500AC devices running firmware version 1.0.0. Attackers can gain full control of affected devices without authentication.
💻 Affected Systems
- EnGenius EnStation5-AC A8J-ENS500AC
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing persistent backdoor installation, network pivoting to internal systems, data exfiltration, and device bricking.
Likely Case
Unauthenticated remote code execution leading to device takeover, credential harvesting, and network reconnaissance.
If Mitigated
Limited impact if devices are isolated in separate VLANs with strict network segmentation and egress filtering.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests to the device's web interface. The GitHub reference contains proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check EnGenius support portal for firmware updates. 2. Download latest firmware if available. 3. Upload firmware via device web interface. 4. Reboot device after update.
🔧 Temporary Workarounds
Network Isolation
allPlace affected devices in isolated VLAN with no internet access and strict firewall rules.
Access Control
allRestrict web interface access to trusted management networks only using firewall rules.
🧯 If You Can't Patch
- Immediately isolate affected devices from internet and critical internal networks
- Implement strict network segmentation with firewall rules blocking all unnecessary traffic
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface at System > Status. If version is 1.0.0, device is vulnerable.Check Version:
No CLI command available. Must check via web interface at System > Status.Verify Fix Applied:
Verify firmware version is updated to a version later than 1.0.0 via System > Status page.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to ping or speed test endpoints
- Shell command execution patterns in system logs
- Multiple failed login attempts followed by successful command execution
Network Indicators:
- HTTP requests containing shell metacharacters (;, |, &, $, etc.) in POST parameters
- Unusual outbound connections from device to external IPs
- Traffic to/from device on non-standard ports
SIEM Query:
source="engenius-device" AND (http_uri="*ping*" OR http_uri="*speed*test*") AND http_method="POST" AND (http_body="*;*" OR http_body="*|*" OR http_body="*&*" OR http_body="*$(*")