CVE-2024-5195

MEDIUM

Arris VAP2500 08.50 - Command Injection

Title source: llm

Description

A vulnerability was found in Arris VAP2500 08.50. It has been rated as critical. Affected by this issue is some unknown functionality of the file /diag_s.php. The manipulation of the argument customer_info leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-265832.

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.265832

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.265832

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.335253

Broken Link exploit

https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/a%2B%26%5BE4%3Flp5%3Fk9_%3D%5D/ARRIS_VAP2500-RCE-diag_s.php.pdf

Scores

CVSS v3 4.7

EPSS 0.0416

EPSS Percentile 89.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (1)

arris/vap2500_firmware 08.50

Published May 22, 2024

Tracked Since Feb 18, 2026