CVE-2024-22366: OS Command Injection
First published: Wed Jan 24 2024(Updated: )
Active debug code exists in Yamaha wireless LAN access point devices. If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered. Affected products and versions are as follows: WLX222 firmware Rev.24.00.03 and earlier, WLX413 firmware Rev.22.00.05 and earlier, WLX212 firmware Rev.21.00.12 and earlier, WLX313 firmware Rev.18.00.12 and earlier, and WLX202 firmware Rev.16.00.18 and earlier.
Credit: vultures@jpcert.or.jp
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Yamaha Wlx222 Firmware | <24.00.04 | |
| Yamaha Wlx222 | ||
| All of | ||
| Yamaha Wlx413 Firmware | <22.00.06 | |
| Yamaha Wlx413 | ||
| All of | ||
| Yamaha Wlx212 Firmware | <21.00.13 | |
| Yamaha Wlx212 | ||
| All of | ||
| Yamaha Wlx313 Firmware | <18.00.13 | |
| Yamaha Wlx313 | ||
| All of | ||
| Yamaha Wlx202 Firmware | <16.00.19 | |
| Yamaha Wlx202 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-22366?
CVE-2024-22366 is a high severity vulnerability due to the potential for arbitrary OS command execution.
How do I fix CVE-2024-22366?
To fix CVE-2024-22366, ensure that your Yamaha wireless LAN access point firmware is updated to the latest version available.
Which devices are affected by CVE-2024-22366?
CVE-2024-22366 affects certain Yamaha wireless LAN access point devices including WLX222, WLX413, WLX212, WLX313, and WLX202.
What kind of attack can be executed through CVE-2024-22366?
An attacker with access to the device's management page can execute arbitrary OS commands through the active debug code.
Is it necessary to disable the debug function to protect against CVE-2024-22366?
Yes, disabling the debug function is a recommended step to mitigate the risk associated with CVE-2024-22366.
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- agent/severity
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- vendor/yamaha
- canonical/yamaha wlx222 firmware
- canonical/yamaha wlx222
- canonical/yamaha wlx413 firmware
- canonical/yamaha wlx413
- canonical/yamaha wlx212 firmware
- canonical/yamaha wlx212
- canonical/yamaha wlx313 firmware
- canonical/yamaha wlx313
- canonical/yamaha wlx202 firmware
- canonical/yamaha wlx202