CVE-2024-57590

CRITICAL

TRENDnet TEW-632BRP v1.010B31 - OS Command Injection via NTP Server Parameter

Title source: llm

Description

TRENDnet TEW-632BRP v1.010B31 devices have an OS command injection vulnerability in the CGl interface "ntp_sync.cgi",which allows remote attackers to execute arbitrary commands via parameter "ntp_server" passed to the "ntp_sync.cgi" binary through a POST request.

References (1)

Core 1

Core References

Broken Link

https://github.com/IdaJea/IOT_vuln_1/blob/master/tew632/ntp_sync.md

Scores

CVSS v3 9.8

EPSS 0.0076

EPSS Percentile 73.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-77

Status published

Products (1)

trendnet/tew-632brp_firmware 1.010b31

Published Jan 27, 2025

Tracked Since Feb 18, 2026