First published: Thu Mar 07 2019(Updated: )
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNTPServerSettings API function, as demonstrated by shell metacharacters in the system_time_timezone field.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Motorola M2 Firmware | =1.07 | |
Motorola M2 | ||
Motorola C1 Firmware | =1.01 | |
Motorola C1 | ||
All of | ||
Motorola M2 Firmware | =1.07 | |
Motorola M2 | ||
All of | ||
Motorola C1 Firmware | =1.01 | |
Motorola C1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-9118 is a Command Injection vulnerability found on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively, allowing remote attackers to execute arbitrary code and get a root shell.
The severity of CVE-2019-9118 is critical, with a CVSS score of 9.8.
CVE-2019-9118 affects Motorola C1 devices with firmware version 1.01 and Motorola M2 devices with firmware version 1.07, allowing remote attackers to execute arbitrary commands and potentially gain root access.
Yes, Motorola C1 devices with firmware version 1.01 are vulnerable to CVE-2019-9118.
Yes, updating the firmware to version 1.08 for Motorola C1 and version 1.08 for Motorola M2 devices fixes the vulnerability.