Atelmo Atemio AM 520 HD Full HD Satellite Receiver

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
  • Vendor: Atelmo
  • Equipment: Atemio AM 520 HD Full HD Satellite Receiver
  • Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized attacker to execute system commands with elevated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Atelmo Atemio AM 520 HD, a satellite receiver, are affected:

  • Atemio AM 520 HD: TitanNit 2.01 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the ‘getcommand’ query within the application, allowing the attacker to gain root access.

CVE-2024-9166 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9166. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND