# CVE-2025-26056
# Auhtor: Rohan Deshpande
# OS Command Injection
# Summary
OS command injection is a security vulnerability that allows an
attacker to execute arbitrary commands on a host operating system
via a vulnerable application. This can lead to unauthorized access,
data breaches, and system compromise.
# Impact
The impact of OS command injection can include unauthorized
access to system resources, data theft, system compromise, and
potential full control over the affected server, leading to severe
security breaches and operational disruptions.
# Affected URL
http://<ip>:<port>/generateMTRReport
# Recommendation
To mitigate OS command injection vulnerabilities, validate and
sanitize all user inputs, use parameterized commands or APIs, and
implement least privilege principles to limit the execution context of
applications. Regular security testing and code reviews are also
essential to identify and remediate potential weaknesses.
# Proof of Concept
1. Login to the console and navigate to Troubleshoot → MTR.
2. Enter IP and capture the request in burp.
3. Try to fetch ‘/etc/passwd’ file through parameter mtrIP and notice file displayed
in HTTP response.
[4.0K] /data/pocs/38a142cb1d80288f739d0bd76e12a3fe81645240
└── [1.2K] README.md
0 directories, 1 file