CVE-2019-19356
Published: 07 February 2020
Summary
CVE-2019-19356 is a high-severity OS Command Injection (CWE-78) vulnerability in Netis-Systems Wf2419 Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
Netis WF2419 routers running firmware versions V1.2.31805 and V2.2.36123 contain an authenticated remote code execution vulnerability in the web management interface. The flaw, tracked as CVE-2019-19356 and assigned CWE-78, stems from missing sanitization of user input passed to the tracert diagnostic tool, allowing system commands to be executed with root privileges. The issue carries a CVSS 3.1 score of 7.5 reflecting network attack vector, high attack complexity, and low privileges required.
An attacker who has obtained valid credentials for the router's administrative web page can submit crafted input through the tracert function to run arbitrary commands as root. Successful exploitation grants full control of the device, including the ability to modify configuration, intercept traffic, or pivot to other systems on the local network.
Public proof-of-concept code and technical write-ups are available that demonstrate the attack against the affected firmware versions, though no vendor advisory or patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-8977
Vulnerability details
Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to…
more
execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input to the tracert diagnostic tool, blocking the OS command injection that enables authenticated RCE.
Enforces execution of the web management interface and diagnostic functions with only the privileges required, preventing root-level command execution even after successful injection.
Restricts the router to only the necessary network functions and disables or tightly limits the tracert diagnostic feature that accepts unsanitized input.