[CVE-2013-2612] Huawei E587 3G Mobile Hotspot Command Injection ________________________________________________________________________ Summary: Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to a command injection vulnerability in the Web UI. Successful exploitation allows unauthenticated attackers to execute arbitrary commands with root privileges. ________________________________________________________________________ Details: The HTTP endpoint "/api/device/time" in Web UI is vulnerable to shell command injection. This allows code execution with root privileges. ________________________________________________________________________ CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete ________________________________________________________________________ Disclosure Timeline: 2013-03-18 Vendor notified 2013-03-18 CVE-2013-2612 assigned 2013-07-15 Public advisory ________________________________________________________________________ References: http://www.huawei.com/en/security/psirt/ ________________________________________________________________________ Fracdacric Basse