Description
An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root.
References (2)
Core 2
Core References
Third Party Advisory
https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4
Exploit, Third Party Advisory
https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf
Scores
CVSS v3
7.2
EPSS
0.0342
EPSS Percentile
87.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (1)
peplink/balance_two_firmware
< 8.4.0
Published
Dec 25, 2023
Tracked Since
Feb 18, 2026