A recent report by security researcher H00die.Gr3y has revealed a series of critical vulnerabilities affecting several Netis routers, as well as their rebranded counterparts from GLCtec and Stonet. These vulnerabilities, tracked as CVE-2024-48455, CVE-2024-48456, and CVE-2024-48457, could be chained together to allow unauthenticated remote code execution (RCE), exposing thousands of devices to exploitation.
- CVE-2024-48455: This information disclosure flaw allows an unauthenticated attacker to obtain sensitive configuration data, including firmware version and network settings. Attackers can exploit the /cgi-bin/skk_get.cgi web endpoint to query vulnerable devices and assess their suitability for further attacks.
- CVE-2024-48456: This is an authenticated command injection vulnerability in the router’s password change functionality. Malicious actors can exploit the password and new password parameters, injecting base64-encoded commands to gain remote shell access. When combined with other vulnerabilities, this flaw enables full control over the router.
- CVE-2024-48457: An authentication bypass flaw that allows unauthenticated attackers to reset router and WiFi passwords. Exploiting this issue lets attackers effectively control the device, paving the way for the exploitation of CVE-2024-48456.
By chaining these vulnerabilities, attackers can bypass authentication, reset device credentials, and execute arbitrary commands, gaining full control of affected routers. The flaws affect multiple firmware versions, including but not limited to:
- netis_MW5360_V1.0.1.3031_fw.bin
- netis_NC65v2-V3.0.0.3800.bin
- Netis_NX10-V3.0.1.4205.bin
A full list of affected firmware versions is available in the Netis firmware support documentation.
H00die.Gr3y demonstrated the exploit chain using tools like FirmAE for firmware emulation and Ghidra for binary analysis, highlighting poor security practices such as linking the router’s admin password to its root system password.
Netis and its rebranded partners have yet to release official patches addressing these vulnerabilities.
