CVE-2024-4999

Summary

A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary commands with elevated privileges.This issue affects UNITY: through 6.95-2; PRO: through 6.95-1.Rt3883; MIMO: through 6.95-1.Rt2880; APC Propeller: through 2-5.95-4.Rt3352.

Affected Software

VendorProductVersion RangeStatus
LigowaveUNITY0 <= 6.95-2affected
LigowavePRO0 <= 6.95-1.rt3883affected
LigowaveMIMO0 <= 6.95-1.rt2880affected
LigowaveAPC Propeller0 <= 2-5.95-4.rt3352affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Workarounds

This product being EOL, Ligowave will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References