CVE-2024-45242

HIGH

EnGenius ENH1350EXT - Command Injection

Title source: llm

Description

EnGenius ENH1350EXT A8J-ENH1350EXT devices through 3.9.3.2_c1.9.51 allow (blind) OS Command Injection via shell metacharacters to the Ping or Speed Test utility. During the time of initial setup, the device creates an open unsecured network whose admin panel is configured with the default credentials of admin/admin. An unauthorized attacker in proximity to the Wi-Fi network can exploit this window of time to execute arbitrary OS commands with root-level permissions.

References (2)

Core 2

Core References

Various Sources

https://github.com/actuator/cve/blob/main/Engenius/CVE-2024-45242

Various Sources

https://github.com/actuator/cve/blob/main/Engenius/CVE-2024-45242_Extended_Report.pdf

View Writeup ZIP pw:eip

Scores

CVSS v3 7.8

EPSS 0.0132

EPSS Percentile 80.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Published Oct 24, 2024

Tracked Since Feb 18, 2026