CVE-2019-3495
HIGH EXPLOITEDWifi-soft UniBox 0.x-2.x - Unauthenticated Arbitrary File Upload via network/mesh/edit-nds.php
Title source: llmExploitation Summary
CVE-2019-3495 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute code on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials.
References (3)
Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-Code-Injection.html
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/fulldisclosure/2019/Jan/23
Exploit, Third Party Advisory x_refsource_misc
https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-Controller-0.x-3.x/
Scores
CVSS v3
8.8
EPSS
0.0504
EPSS Percentile
91.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2025-07-21
CWE
CWE-434
CWE-798
Status
published
Products (1)
indionetworks/unibox_firmware
Published
Mar 21, 2019
Tracked Since
Feb 18, 2026