CVSS: 2.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2922 – Netis WF-2404 BusyBox Shell cleartext storage
https://notcve.org/view.php?id=CVE-2025-2922
28 Mar 2025 — A vulnerability classified as problematic was found in Netis WF-2404 1.1.124EN. Affected by this vulnerability is an unknown functionality of the component BusyBox Shell. The manipulation leads to cleartext storage of sensitive information. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-with • CWE-310: Cryptographic Issues CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2921 – Netis WF-2404 passwd default password
https://notcve.org/view.php?id=CVE-2025-2921
28 Mar 2025 — A vulnerability classified as critical has been found in Netis WF-2404 1.1.124EN. Affected is an unknown function of the file /etc/passwd. The manipulation with the input Realtek leads to use of default password. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-cont • CWE-1393: Use of Default Password •
CVSS: 2.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2920 – Netis WF-2404 passwd weak hash
https://notcve.org/view.php?id=CVE-2025-2920
28 Mar 2025 — A vulnerability was found in Netis WF-2404 1.1.124EN. It has been rated as problematic. This issue affects some unknown processing of the file /еtc/passwd. The manipulation leads to use of weak hash. It is possible to launch the attack on the physical device. • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-cont • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-328: Use of Weak Hash •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2919 – Netis WF-2404 UART hardware allows activation of test or debug logic at runtime
https://notcve.org/view.php?id=CVE-2025-2919
28 Mar 2025 — A vulnerability was found in Netis WF-2404 1.1.124EN. It has been declared as critical. This vulnerability affects unknown code of the component UART. The manipulation leads to hardware allows activation of test or debug logic at runtime. It is possible to launch the attack on the physical device. • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-with • CWE-489: Active Debug Code CWE-1313: Hardware Allows Activation of Test or Debug Logic at Runtime •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1617 – Netis WF2780 Wireless 2.4G Menu cross site scripting
https://notcve.org/view.php?id=CVE-2025-1617
24 Feb 2025 — A vulnerability, which was classified as problematic, was found in Netis WF2780 2.1.41925. This affects an unknown part of the component Wireless 2.4G Menu. The manipulation of the argument SSID leads to cross site scripting. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. • https://vuldb.com/?ctiid.296607 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33791
https://notcve.org/view.php?id=CVE-2024-33791
03 May 2024 — A cross-site scripting (XSS) vulnerability in netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the getTimeZone function. Una vulnerabilidad de cross-site scripting (XSS) en netis-systems MEX605 v2.00.06 permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload manipulado inyectado en la función getTimeZone. • https://github.com/ymkyu/CVE/tree/main/CVE-2024-33791 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33792
https://notcve.org/view.php?id=CVE-2024-33792
03 May 2024 — netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the tracert page. Una vulnerabilidad de cross-site scripting (XSS) en netis-systems MEX605 v2.00.06 permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload manipulado inyectado en la página tracert. • https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33793
https://notcve.org/view.php?id=CVE-2024-33793
03 May 2024 — netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the ping test page. Una vulnerabilidad de cross-site scripting (XSS) en netis-systems MEX605 v2.00.06 permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload manipulado inyectado en la página de prueba de ping. • https://github.com/ymkyu/CVE/tree/main/CVE-2024-33793 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2024-25850
https://notcve.org/view.php?id=CVE-2024-25850
22 Feb 2024 — Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the wps_ap_ssid5g parameter Se descubrió que Netis WF2780 v2.1.40144 contiene una vulnerabilidad de inyección de comandos a través del parámetro wps_ap_ssid5g • https://github.com/no1rr/Vulnerability/blob/master/netis/igd_wps_set_wps_ap_ssid5g.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-25851
https://notcve.org/view.php?id=CVE-2024-25851
22 Feb 2024 — Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the config_sequence parameter in other_para of cgitest.cgi. Se descubrió que Netis WF2780 v2.1.40144 contenía una vulnerabilidad de inyección de comandos a través del parámetro config_sequence en other_para de cgitest.cgi. • https://github.com/no1rr/Vulnerability/blob/master/netis/other_para_config_sequence.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •