CVE-2019-3497
HIGHWifi-soft UniBox controller 0.x-2.x - Unauthenticated Remote Command Execution via Diagnostic Tools Ping Feature
Title source: llmDescription
An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. The tools/ping Ping feature of the Diagnostic Tools component is vulnerable to Remote Command Execution, allowing an attacker to execute arbitrary system commands on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials.
References (3)
Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-Code-Injection.html
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/fulldisclosure/2019/Jan/23
Exploit, Third Party Advisory x_refsource_misc
https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-Controller-0.x-3.x/
Scores
CVSS v3
8.8
EPSS
0.0958
EPSS Percentile
94.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (1)
indionetworks/unibox_firmware
Published
Mar 21, 2019
Tracked Since
Feb 18, 2026