CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31977
https://notcve.org/view.php?id=CVE-2024-31977
24 Jul 2024 — Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.5.5.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility. Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility. • https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyoz • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39345
https://notcve.org/view.php?id=CVE-2024-39345
24 Jul 2024 — AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All of the devices internet interfaces share a similar MAC address that only varies in their final octet. This allows network-adjacent attackers to derive the support user's SSH password by decrementing the final octet of the connected gateway address or via the BSSID. An attacker can then execute arbitrary OS ... • https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-39345 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-259: Use of Hard-coded Password •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31970
https://notcve.org/view.php?id=CVE-2024-31970
24 Jul 2024 — AdTran SRG 834-5 HDC17600021F1 devices (with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1) have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a default username and password combination of admin/admin with root-level privileges. An attacker can exploit this window to gain unauthorized root access by either modifying the existing admin account or creating a new account with equivalent privileges. This vulnerability al... • https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31970 • CWE-863: Incorrect Authorization •