CVE-2020-10173

HIGH EXPLOITED IN THE WILD

Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m - OS Command Injection via ping.cgi

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-10173 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Raki Ben Hamouda.

AI-analyzed exploit summary This exploit demonstrates an authenticated command injection vulnerability in Comtrend VR-3033 routers via the ping and traceroute diagnostic pages. The PoC shows how an attacker can inject commands (e.g., 'google.fr;ls -l') to achieve remote code execution.

Description

Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter to ping.cgi.

Exploits (1)

exploitdb WORKING POC
by Raki Ben Hamouda · textwebappshardware
https://www.exploit-db.com/exploits/48142

This exploit demonstrates an authenticated command injection vulnerability in Comtrend VR-3033 routers via the ping and traceroute diagnostic pages. The PoC shows how an attacker can inject commands (e.g., 'google.fr;ls -l') to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Comtrend VR-3033 (Firmware DE11-416SSG-C01_R02.A2pvI042j1.d26m)
Auth required
Prerequisites: Access to the router's web interface · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48142

Scores

CVSS v3 8.8
EPSS 0.7728
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-05-07
InTheWild.io 2020-07-09
CWE
CWE-78
Status published
Products (1)
comtrend/vr-3033_firmware de11-416ssg-c01_r02.a2pvi042j1.d26m
Published Mar 05, 2020
Tracked Since Feb 18, 2026