CVE-2024-50370 – This is a critical OS command injection vulnera... (How to Fix)

Q: How do I fix CVE-2024-50370?

1. Check current firmware version. 2. Download latest firmware from Advantech support portal. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device.

Q: What is the severity of CVE-2024-50370?

CVE-2024-50370 has a CVSS score of 9.8 (CRITICAL). This is a critical OS command injection vulnerability in Advantech wireless access points that allows remote unauthenticated attackers to execute arbitrary commands with root privileges. The vulnerability affects specific EKI-6333AC series devices and is exploitable via the default 'edgserver' service without authentication. Attackers can gain complete control of affected devices over the network.

📋 TL;DR

This is a critical OS command injection vulnerability in Advantech wireless access points that allows remote unauthenticated attackers to execute arbitrary commands with root privileges. The vulnerability affects specific EKI-6333AC series devices and is exploitable via the default 'edgserver' service without authentication. Attackers can gain complete control of affected devices over the network.

💻 Affected Systems

Products:

Advantech EKI-6333AC-2G
Advantech EKI-6333AC-2GD
Advantech EKI-6333AC-1GPO

Versions: EKI-6333AC-2G <= 1.6.3, EKI-6333AC-2GD <= v1.6.3, EKI-6333AC-1GPO <= v1.2.1

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable 'edgserver' service is enabled by default with no authentication required.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, exfiltrate data, or use devices as botnet nodes.

🟠

Likely Case

Remote code execution leading to device takeover, network reconnaissance, and lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly exploited by any remote attacker without authentication.

🏢 Internal Only: HIGH - Even internally, any network-accessible device can be exploited by attackers who gain internal access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a specific operation (cfg_cmd_set_eth_conf) and requires no authentication, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Advantech security advisory for specific patched versions

Vendor Advisory: https://www.advantech.com/support

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from Advantech support portal. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device.

🔧 Temporary Workarounds

Disable edgserver service

all

Disable the vulnerable service if not required for functionality

Check device documentation for service management commands

Network segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules

🧯 If You Can't Patch

Implement strict network access controls to limit access to affected devices
Monitor network traffic to/from affected devices for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI and compare against vulnerable versions

Check Version:

Check via web interface or consult device documentation for CLI version command

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions and test if edgserver service responds to exploitation attempts

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Failed authentication attempts to edgserver service
Unexpected process creation

Network Indicators:

Unusual traffic to port used by edgserver service
Suspicious payloads in network traffic to affected devices

SIEM Query:

Search for network connections to port [edgserver_port] from unexpected sources OR device logs containing 'cfg_cmd_set_eth_conf' with suspicious parameters

📊 Metadata

CVE ID: CVE-2024-50370

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 26, 2024

Last Updated: January 23, 2026

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50370 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50370, you might also want to check these: