CVE-2024-5196

MEDIUM

Arris VAP2500 08.50 - Command Injection

Title source: llm

Description

A vulnerability classified as critical has been found in Arris VAP2500 08.50. This affects an unknown part of the file /tools_command.php. The manipulation of the argument cmb_header/txt_command leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-265833 was assigned to this vulnerability.

References (4)

Core 4

Core References

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.265833

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.335254

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.265833

Broken Link exploit

https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/a%2B%26%5BE4%3Flp5%3Fk9_%3D%5D/ARRIS_VAP2500-RCE-tools_command.php.pdf

Scores

CVSS v3 4.7

EPSS 0.0416

EPSS Percentile 89.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (1)

arris/vap2500_firmware 08.50

Published May 22, 2024

Tracked Since Feb 18, 2026