CVE-2024-37642
Published: 14 June 2024
Summary
CVE-2024-37642 is a critical-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-814Dap Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TRENDnet TEW-814DAP version 1 running firmware FW1.01B01 contains a command injection vulnerability in the system check functionality. The flaw, tracked as CVE-2024-37642 and assigned CWE-77, allows unsanitized input passed through the ipv4_ping and ipv6_ping parameters to the /formSystemCheck endpoint to be executed by the device. It received a CVSS 3.1 score of 9.1 reflecting network attack vector, low complexity, and no required authentication or user interaction.
An unauthenticated attacker with network access can supply crafted values to these parameters and achieve arbitrary command execution on the access point. Successful exploitation grants the ability to read or modify sensitive data and alter device behavior while availability impact remains limited according to the provided scoring.
The two referenced GitHub reports document the discovery but contain no vendor advisory, firmware update, or mitigation guidance. The associated EPSS score has remained steady at 0.2175 with no material increase observed since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36787
Vulnerability details
TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a command injection vulnerability via the ipv4_ping, ipv6_ping parameter at /formSystemCheck .
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via web interface parameters (ipv4_ping, ipv6_ping) in a network access point enables remote code execution, mapping to exploitation of public-facing applications/remote services and Unix shell command execution.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.