| Название | WAYOS FBM220G and others 24.10.19 Command Injection |
|---|
| Описание | A command injection vulnerability exists in WAYOS FBM220G and other related models running firmware version FBM_220G-24.10.19V-vue-aiv3.trx. The vulnerability is located in the `sub_40F820` function within the `rc` binary. When processing configuration items such as `upnp_waniface`, `upnp_ssdp_interval`, and `upnp_max_age`, the program retrieves their values using `nvram_get` without proper sanitization. These values are then concatenated into a shell command string via `snprintf` and executed through `jhl_system`. An attacker who can tamper with the relevant configuration parameters may inject arbitrary commands, potentially leading to remote code execution and full device compromise.
|
|---|
| Источник | ⚠️ https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md |
|---|
| Пользователь | jfkk (UID 79868) |
|---|
| Представление | 31.01.2026 15:36 (3 месяцы назад) |
|---|
| Модерация | 15.02.2026 17:04 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 346157 [WAYOS FBM-220G 24.10.19 rc sub_40F820 upnp_waniface/upnp_ssdp_interval/upnp_max_age эскалация привилегий] |
|---|
| Баллы | 20 |
|---|