CVE-2018-20122

The web interface on FASTGate Fastweb devices with firmware through 0.00.47_FW_200_Askey 2017-05-17 (software through 1.0.1b) exposed a CGI binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges. No authentication is required in order to trigger the vulnerability.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
fastwebfastgate_firmware
𝑥
≤ 1.0.1b
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.horizonsecurity.it/advisories/?a=12&title=Fastweb+FastGate+router+101b+Remote+code+execution++CVE201820122
http://www.horizonsecurity.it/advisories/?a=12&title=Fastweb+FastGate+router+101b+Remote+code+execution++CVE201820122