CVE-2017-9135

HIGH

Mimosa Client Radios <2.2.4 - Mimosa Backhaul Radios <2.2.4 - RCE

Title source: llm
STIX 2.1

Description

An issue was discovered on Mimosa Client Radios before 2.2.4 and Mimosa Backhaul Radios before 2.2.4. On the backend of the device's web interface, there are some diagnostic tests available that are not displayed on the webpage; these are only accessible by crafting a POST request with a program like cURL. There is one test accessible via cURL that does not properly sanitize user input, allowing an attacker to execute shell commands as the root user.

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
http://blog.iancaling.com/post/160596244178

Scores

CVSS v3 8.8
EPSS 0.0134
EPSS Percentile 67.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-74
Status published
Products (2)
mimosa/backhaul_radios < 2.2.3
mimosa/client_radios < 2.2.3
Published May 21, 2017
Tracked Since Feb 18, 2026