← Volver a CVEs
CVE-2010-5330
CRITICALCISA KEV9.8
Descripcion
On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado6/11/2019
Ultima modificacion11/5/2025
Fuentekev
Avistamientos honeypot0
CISA KEV
VendedorUbiquiti
ProductoAirOS
Nombre vulnerabilidadUbiquiti AirOS Command Injection Vulnerability
Fecha inclusion KEV2022-04-15
Fecha limite remediacion2022-05-06
Uso en ransomwareUnknown
Productos afectados
ui:airos
Debilidades (CWE)
CWE-77CWE-77
Referencias
https://community.ubnt.com/t5/airMAX-General-Discussion/AirOS-Security-Exploit-Updated-Firmware/td-p/212974(cve@mitre.org)
https://www.exploit-db.com/exploits/14146(cve@mitre.org)
https://community.ubnt.com/t5/airMAX-General-Discussion/AirOS-Security-Exploit-Updated-Firmware/td-p/212974(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/14146(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-5330(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.