CVE-2019-3495
HIGH EXPLOITEDIndionetworks Unibox Firmware - Unrestricted File Upload
Title source: ruleDescription
An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute code on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials.
References (3)
Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-Code-Injection.html
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/fulldisclosure/2019/Jan/23
Exploit, Third Party Advisory x_refsource_misc
https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-Controller-0.x-3.x/
Scores
CVSS v3
8.8
EPSS
0.0110
EPSS Percentile
78.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2025-07-21
CWE
CWE-434
CWE-798
Status
published
Products (1)
indionetworks/unibox_firmware
Published
Mar 21, 2019
Tracked Since
Feb 18, 2026