CVE-2024-41643
📋 TL;DR
This vulnerability allows a physically proximate attacker to execute arbitrary code on Arris NVG443B routers via the cshell login component. It affects users of Arris NVG443B routers running version 9.3.0h3d36. Attackers need physical access to the device to exploit this vulnerability.
💻 Affected Systems
- Arris NVG443B
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control of the router, can intercept/modify network traffic, install persistent malware, or pivot to other devices on the network.
Likely Case
Attacker with physical access executes limited code to reconfigure router settings, disrupt network connectivity, or steal credentials.
If Mitigated
With proper physical security controls, the vulnerability cannot be exploited as physical access is required.
🎯 Exploit Status
Exploitation requires physical access to the device. No authentication is required once physical access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No vendor advisory found
Restart Required: No
Instructions:
Check with Arris/Commscope for firmware updates. If available, download and install the latest firmware through the router's admin interface.
🔧 Temporary Workarounds
Physical Security Controls
allRestrict physical access to the router to prevent exploitation
Disable Unused Services
allDisable cshell or other unused login services if possible through admin interface
🧯 If You Can't Patch
- Implement strict physical security controls - lock router in secure location
- Monitor router for unauthorized configuration changes and unexpected reboots
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface. If version is 9.3.0h3d36, device is vulnerable.Check Version:
Check via router web interface at 192.168.0.1 or 192.168.1.1 (admin credentials required)Verify Fix Applied:
Verify firmware version has been updated to a version newer than 9.3.0h3d36📡 Detection & Monitoring
Log Indicators:
- Unexpected cshell login attempts
- Router configuration changes without authorization
- Unexpected router reboots
Network Indicators:
- Unusual network traffic patterns from router
- DNS or routing configuration changes
SIEM Query:
Search for router login events outside maintenance windows or from unexpected sources