Vulnerability Details CVE-2016-6558
A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.048
EPSS Ranking 88.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
Products affected by CVE-2016-6558
-
cpe:2.3:h:asus:ea-n66:-
-
cpe:2.3:h:asus:rp-ac52:-
-
cpe:2.3:h:asus:rp-ac56:-
-
cpe:2.3:h:asus:rp-n12:-
-
cpe:2.3:h:asus:rp-n14:-
-
cpe:2.3:h:asus:rp-n53:-
-
cpe:2.3:h:asus:wmp-n12:-
-
cpe:2.3:o:asus:ea-n66_firmware:-
-
cpe:2.3:o:asus:rp-ac52_firmware:1.0.1.1s
-
cpe:2.3:o:asus:rp-ac56_firmware:-
-
cpe:2.3:o:asus:rp-n12_firmware:-
-
cpe:2.3:o:asus:rp-n14_firmware:-
-
cpe:2.3:o:asus:rp-n53_firmware:-
-
cpe:2.3:o:asus:wmp-n12_firmware:-