CVE-2012-6610

HIGH

Polycom Hdx Video End Points < 3.0.4 - OS Command Injection

Title source: rule

Description

Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command feature.

Exploits (1)

metasploit WORKING POC NORMAL

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/misc/polycom_hdx_auth_bypass.rb

View Code ZIP pw:eip

References (2)

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2012/Mar/18

[Third Party Advisory] https://web.archive.org/web/20130317232013/http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html

Scores

CVSS v3 8.8

EPSS 0.5609

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

polycom/hdx_video_end_points < 3.0.4

polycom/uc_apl < 2.7.1.j

Published Jan 28, 2020

Tracked Since Feb 18, 2026