Key Information Vulnerability Overview Vulnerability Name: DCME-720 Date: 2025/8/4 11:20:53 Description: The DCME-720 strip-shaped export gateway adopts a multi-core high-performance processor combined with a dedicated ASIC switching chip, designed as a new-generation high-performance internet export gateway to meet the demands of large-scale user numbers, high traffic volumes, and diverse service types. Its web management backend contains a command execution vulnerability, allowing attackers to execute arbitrary code and take control of the device by exploiting this vulnerability. Code Audit File Location: /usr/local/www/function/audit/newstatistics/ip_block.php Critical Code: Issue: The code constructs commands using user-controllable parameters, leading to a command injection vulnerability. Verification URL: http://8363-218-19-14-194.ngrok-free.app/function/audit/newstatistics/ip_block.php Payload: ?action=save&switch=1&ip=echo%20123%20%3E%201.txt Result: Successfully created and wrote to the file 1.txt with content "123". Remediation Recommendation Modify the backend PHP code to sanitize or filter the relevant parameters.