CVE-2024-36061
📋 TL;DR
CVE-2024-36061 is a critical OS command injection vulnerability in EnGenius EWS356-FIT wireless access points. Attackers can execute arbitrary commands with root privileges by injecting shell metacharacters into Ping and Speed Test utilities. Organizations using affected EnGenius devices are at risk.
💻 Affected Systems
- EnGenius EWS356-FIT
📦 What is this software?
Ews356 Fit Firmware by Engeniustech
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing persistent backdoor installation, network pivoting, credential theft, and disruption of network services.
Likely Case
Unauthenticated remote code execution leading to device takeover, network reconnaissance, and potential lateral movement within the network.
If Mitigated
Limited impact if devices are isolated in separate VLANs with strict network segmentation and egress filtering.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to vulnerable endpoints. Public PoC available in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.1.31 or later
Vendor Advisory: https://www.engeniustech.com/support/security-advisories/
Restart Required: Yes
Instructions:
1. Log into EnGenius Cloud management portal. 2. Navigate to device management. 3. Check for firmware updates. 4. Apply firmware version 1.1.31 or later. 5. Reboot device after update.
🔧 Temporary Workarounds
Disable Ping and Speed Test utilities
allTemporarily disable vulnerable features until patching is possible
Access device web interface > Advanced Settings > Disable Ping Test and Speed Test features
Network segmentation
allIsolate affected devices in separate VLAN with strict firewall rules
🧯 If You Can't Patch
- Immediately isolate affected devices in separate VLAN with no internet access
- Implement strict network ACLs to block all traffic to/from vulnerable devices except essential management
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > Status > Firmware Version. If version is 1.1.30 or earlier, device is vulnerable.Check Version:
curl -k https://[device-ip]/api/system/status | grep firmware_versionVerify Fix Applied:
After update, verify firmware version shows 1.1.31 or later. Test Ping and Speed Test features to ensure they function without allowing command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by successful Ping/Speed Test requests
- Suspicious process creation
Network Indicators:
- Unusual outbound connections from access points
- Traffic to suspicious IPs/domains from device management interface
- HTTP requests containing shell metacharacters to /api/ping or /api/speedtest endpoints
SIEM Query:
source="engenius-logs" AND (url="*api/ping*" OR url="*api/speedtest*") AND (request CONTAINS "|" OR request CONTAINS ";" OR request CONTAINS "`" OR request CONTAINS "$")