CVE-2016-8721

An exploitable OS Command Injection vulnerability exists in the web application 'ping' functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely.

CVSS v3 9.1 CRITICAL
CVSS v2.0 9.0 HIGH

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

9.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.talosintelligence.com/reports/TALOS-2016-0235/	Exploit Technical Description Third Party Advisory VDB Entry
http://www.talosintelligence.com/reports/TALOS-2016-0235/	Exploit Technical Description Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:moxa:awk-3131a_firmware:1.1:*:*:*:*:*:*:*

cpe:2.3:h:moxa:awk-3131a:-:*:*:*:*:*:*:*

History

21 Nov 2024, 02:59

Type	Values Removed	Values Added
References	~~() http://www.talosintelligence.com/reports/TALOS-2016-0235/ - Exploit, Technical Description, Third Party Advisory, VDB Entry~~	() http://www.talosintelligence.com/reports/TALOS-2016-0235/ - Exploit, Technical Description, Third Party Advisory, VDB Entry

Information

Published : 2017-04-20 18:59

Updated : 2025-04-20 01:37

NVD link : CVE-2016-8721

Mitre link : CVE-2016-8721

CVE.ORG link : CVE-2016-8721

JSON object : View

Products Affected

moxa

awk-3131a_firmware
awk-3131a

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2016-8721", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2017-04-20T18:59:01.577", "references": [{"url": "http://www.talosintelligence.com/reports/TALOS-2016-0235/", "tags": ["Exploit", "Technical Description", "Third Party Advisory", "VDB Entry"], "source": "talos-cna@cisco.com"}, {"url": "http://www.talosintelligence.com/reports/TALOS-2016-0235/", "tags": ["Exploit", "Technical Description", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An exploitable OS Command Injection vulnerability exists in the web application 'ping' functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely."}, {"lang": "es", "value": "Existe una vulnerabilidad de Inyecci\u00f3n explotable de Comando OS en la funcionalidad 'ping' de la aplicaci\u00f3n web de Moxa AWK-3131A Wireless Access Points que ejecutan el firmware 1.1. Una entrada de formulario web especialmente manipulada puede provocar una inyecci\u00f3n de Comando del SO, resultando en un comprometimiento total del dispositivo vulnerable. Un atacante puede explotar esta vulnerabilidad de forma remota."}], "lastModified": "2025-04-20T01:37:25.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:awk-3131a_firmware:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA62CFB0-5FF5-4468-8667-E87006FE9686"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:awk-3131a:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "143AB2D7-E663-4F5D-A9EC-5E3A15B114E0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "talos-cna@cisco.com"}

9.1 /10