Radek Domanski

22 exploits Active since Mar 2020
CVE-2020-28347 WRITEUP CRITICAL WRITEUP
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
CVE-2020-28347 WRITEUP CRITICAL WRITEUP
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
CVE-2020-12004 METASPLOIT HIGH ruby WORKING POC
Ignition Gateway < 7.9.14 - Unauthenticated Sensitive Information Disclosure
The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.
CVSS 7.5
CVE-2020-10924 METASPLOIT HIGH ruby WORKING POC
Netgear R6700v3 Unauthenticated LAN Admin Password Reset
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9643.
CVSS 8.8
CVE-2020-28347 METASPLOIT CRITICAL ruby WORKING POC
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
CVE-2020-10882 METASPLOIT HIGH ruby WORKING POC
TP-Link Archer A7 Firmware Ver: 190726 AC1750 - RCE
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.
CVSS 8.8
CVE-2020-12027 METASPLOIT MEDIUM ruby WORKING POC
FactoryTalk View SE - Exposure of Sensitive Information via Hostname and File Path Disclosure
All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.
CVSS 4.3
CVE-2020-12028 METASPLOIT HIGH ruby WORKING POC
FactoryTalk View SE - Authenticated Remote Code Execution via Unrestricted Data Handler
In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.
CVSS 7.3
CVE-2020-10883 METASPLOIT HIGH ruby WORKING POC
TP-Link Archer A7 Firmware <190726 - Privilege Escalation
This vulnerability allows local attackers to escalate privileges on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the file system. The issue lies in the lack of proper permissions set on the file system. An attacker can leverage this vulnerability to escalate privileges. Was ZDI-CAN-9651.
CVSS 7.8
CVE-2020-10882 EXPLOITDB HIGH ruby WORKING POC
TP-Link Archer A7 Firmware Ver: 190726 AC1750 - RCE
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.
CVSS 8.8
CVE-2020-10883 EXPLOITDB HIGH ruby WORKING POC
TP-Link Archer A7 Firmware <190726 - Privilege Escalation
This vulnerability allows local attackers to escalate privileges on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the file system. The issue lies in the lack of proper permissions set on the file system. An attacker can leverage this vulnerability to escalate privileges. Was ZDI-CAN-9651.
CVSS 7.8
CVE-2020-28347 WRITEUP CRITICAL WRITEUP
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
CVE-2020-28347 WRITEUP CRITICAL WRITEUP
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
CVE-2021-36224 WRITEUP CRITICAL WRITEUP
Western Digital My Cloud <OS5 - Info Disclosure
Western Digital My Cloud devices before OS5 have a nobody account with a blank password.
CVSS 9.8
CVE-2021-36225 WRITEUP HIGH WRITEUP
Western Digital My Cloud <OS5 - Privilege Escalation
Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.
CVSS 8.8
CVE-2021-36226 WRITEUP CRITICAL WRITEUP
Western Digital My Cloud <OS5 - Info Disclosure
Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files.
CVSS 9.8
CVE-2020-10923 METASPLOIT HIGH ruby WORKING POC
NETGEAR R6700 V1.0.4.84_10.0.58 - Auth Bypass
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000. A crafted UPnP message can be used to bypass authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9642.
CVSS 8.8
CVE-2020-10644 METASPLOIT HIGH ruby WORKING POC
Ignition <8.0.10, <7.9.14 - Info Disclosure
The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.
CVSS 7.5
CVE-2022-20699 METASPLOIT CRITICAL ruby WORKING POC
Cisco RV340, RV340W, RV345, RV345P Firmware < 1.0.03.24 - Unauthenticated Remote Code Execution
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
CVSS 10.0
CVE-2020-12029 METASPLOIT CRITICAL ruby WORKING POC
Rockwell Automation FactoryTalk View SE - Unauthenticated Remote Code Execution via Crafted Filename
All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.
CVSS 9.0
CVE-2020-10884 METASPLOIT HIGH ruby WORKING POC
TP-Link Archer A7 Firmware <190726 - RCE
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
CVSS 8.8
CVE-2020-10884 EXPLOITDB HIGH ruby WORKING POC
TP-Link Archer A7 Firmware <190726 - RCE
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
CVSS 8.8