Description
An OS command injection vulnerability exists in Russound MBX-PRE-D67F firmware version 3.1.6, allowing unauthenticated attackers to execute arbitrary commands as root via crafted input to the hostname parameter in network configuration requests. This vulnerability stems from improper neutralization of special elements used in an OS command within the network configuration handler, enabling remote code execution with the highest privileges.
References (3)
Core 3
Core References
Various Sources
https://pastebin.com/ic8hkC5V
Various Sources
https://pastebin.com/raw/0U6F55G5
Scores
CVSS v3
9.8
EPSS
0.0793
EPSS Percentile
94.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Published
Jul 31, 2025
Tracked Since
Feb 18, 2026