WattBox 800 & 820 Series < 2.10.0.0 RCE via Diagnostic Endpoints

Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

隐藏功能

Snap One Wattbox 信任管理问题漏洞

Snap One Wattbox是Snap One公司的一系列电源解决方案。 Snap One WattBox 800和820 2.10.0.0之前版本存在信任管理问题漏洞，该漏洞源于包含未公开的诊断HTTP端点，可能导致攻击者通过设备标签上的MAC地址和服务标签认证并执行任意命令。

N/A

N/A