MidnightBSD

Advisories for microhardcorp

CVE-2018-25143

Microhard Systems IPn4G 1.1.0 contains a service vulnerability that allows authenticated users to enable a restricted SSH shell with a default 'msshc' user. Attackers can exploit a custom 'ping' command in the NcFTP environment to escape the restricted shell and execute commands with root privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
microhardcorp ipn3gb_firmware 2.2.0
microhardcorp ipn4gb_firmware 1.1.6
microhardcorp bullet-3g_firmware 1.2.0
microhardcorp vip4gb_wifi-n_firmware 1.1.6
microhardcorp ipn3gii_firmware 1.2.0
microhardcorp dragon-lte_firmware 1.1.0
microhardcorp vip4gb_firmware 1.1.6
microhardcorp ipn4gb_firmware 1.1.0
microhardcorp bullet-lte_firmware 1.2.0
microhardcorp ipn4gii_firmware 1.2.0
microhardcorp bulletplus_firmware 1.3.0
microhardcorp ipn4g_firmware 1.1.0
CVE-2018-25144

Microhard Systems IPn4G 1.1.0 contains an authentication bypass vulnerability in the hidden system-editor.sh script that allows authenticated attackers to read, modify, or delete arbitrary files. Attackers can exploit unsanitized 'path', 'savefile', 'edit', and 'delfile' parameters to perform unauthorized file system modifications through GET and POST requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
microhardcorp ipn3gb_firmware 2.2.0
microhardcorp ipn4gb_firmware 1.1.6
microhardcorp bullet-3g_firmware 1.2.0
microhardcorp vip4gb_wifi-n_firmware 1.1.6
microhardcorp ipn3gii_firmware 1.2.0
microhardcorp dragon-lte_firmware 1.1.0
microhardcorp vip4gb_firmware 1.1.6
microhardcorp ipn4gb_firmware 1.1.0
microhardcorp bullet-lte_firmware 1.2.0
microhardcorp ipn4gii_firmware 1.2.0
microhardcorp bulletplus_firmware 1.3.0
microhardcorp ipn4g_firmware 1.1.0
CVE-2018-25145

Microhard Systems IPn4G 1.1.0 contains a configuration file disclosure vulnerability that allows authenticated attackers to download sensitive system configuration files. Attackers can retrieve configuration files from multiple directories including '/www', '/etc/m_cli/', and '/tmp' to access system passwords and network settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
microhardcorp ipn3gb_firmware 2.2.0
microhardcorp ipn4gb_firmware 1.1.6
microhardcorp bullet-3g_firmware 1.2.0
microhardcorp vip4gb_wifi-n_firmware 1.1.6
microhardcorp ipn3gii_firmware 1.2.0
microhardcorp dragon-lte_firmware 1.1.0
microhardcorp vip4gb_firmware 1.1.6
microhardcorp ipn4gb_firmware 1.1.0
microhardcorp bullet-lte_firmware 1.2.0
microhardcorp ipn4gii_firmware 1.2.0
microhardcorp bulletplus_firmware 1.3.0
microhardcorp ipn4g_firmware 1.1.0
CVE-2018-25146

Microhard Systems IPn4G 1.1.0 contains an undocumented vulnerability that allows authenticated attackers to list and manipulate running system processes. Attackers can send arbitrary signals to kill background processes and system services through a hidden feature, potentially causing service disruption and requiring device restart.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
microhardcorp ipn3gb_firmware 2.2.0
microhardcorp ipn4gb_firmware 1.1.6
microhardcorp bullet-3g_firmware 1.2.0
microhardcorp vip4gb_wifi-n_firmware 1.1.6
microhardcorp ipn3gii_firmware 1.2.0
microhardcorp dragon-lte_firmware 1.1.0
microhardcorp vip4gb_firmware 1.1.6
microhardcorp ipn4gb_firmware 1.1.0
microhardcorp bullet-lte_firmware 1.2.0
microhardcorp ipn4gii_firmware 1.2.0
microhardcorp bulletplus_firmware 1.3.0
microhardcorp ipn4g_firmware 1.1.0
CVE-2018-25147

Microhard Systems IPn4G 1.1.0 contains hardcoded default credentials that cannot be changed through normal gateway operations. Attackers can exploit these default credentials to gain unauthorized root-level access to the device by logging in with predefined username and password combinations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
microhardcorp ipn3gb_firmware 2.2.0
microhardcorp ipn4gb_firmware 1.1.6
microhardcorp bullet-3g_firmware 1.2.0
microhardcorp vip4gb_wifi-n_firmware 1.1.6
microhardcorp ipn3gii_firmware 1.2.0
microhardcorp dragon-lte_firmware 1.1.0
microhardcorp vip4gb_firmware 1.1.6
microhardcorp ipn4gb_firmware 1.1.0
microhardcorp bullet-lte_firmware 1.2.0
microhardcorp ipn4gii_firmware 1.2.0
microhardcorp bulletplus_firmware 1.3.0
microhardcorp ipn4g_firmware 1.1.0
CVE-2018-25148

Microhard Systems IPn4G 1.1.0 contains multiple authenticated remote code execution vulnerabilities in the admin interface that allow attackers to create crontab jobs and modify system startup scripts. Attackers can exploit hidden admin features to execute arbitrary commands with root privileges, including starting services, disabling firewalls, and writing files to the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
microhardcorp ipn3gb_firmware 2.2.0
microhardcorp ipn4gb_firmware 1.1.6
microhardcorp bullet-3g_firmware 1.2.0
microhardcorp vip4gb_wifi-n_firmware 1.1.6
microhardcorp ipn3gii_firmware 1.2.0
microhardcorp dragon-lte_firmware 1.1.0
microhardcorp vip4gb_firmware 1.1.6
microhardcorp ipn4gb_firmware 1.1.0
microhardcorp bullet-lte_firmware 1.2.0
microhardcorp ipn4gii_firmware 1.2.0
microhardcorp bulletplus_firmware 1.3.0
microhardcorp ipn4g_firmware 1.1.0
CVE-2018-25149

Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
microhardcorp ipn3gb_firmware 2.2.0
microhardcorp ipn4gb_firmware 1.1.6
microhardcorp bullet-3g_firmware 1.2.0
microhardcorp vip4gb_wifi-n_firmware 1.1.6
microhardcorp ipn3gii_firmware 1.2.0
microhardcorp dragon-lte_firmware 1.1.0
microhardcorp vip4gb_firmware 1.1.6
microhardcorp ipn4gb_firmware 1.1.0
microhardcorp bullet-lte_firmware 1.2.0
microhardcorp ipn4gii_firmware 1.2.0
microhardcorp bulletplus_firmware 1.3.0
microhardcorp ipn4g_firmware 1.1.0
CVE-2020-17406 HIGH

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microhard Bullet-LTE prior to v1.2.0-r1112. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the ping parameter provided to tools.sh. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-10595.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
microhardcorp bullet-lte_firmware *
CVE-2020-17407 HIGH

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microhard Bullet-LTE prior to v1.2.0-r1112. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of authentication headers. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-10596.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,

Products Affected

Vendor Product Version
microhardcorp bullet-lte_firmware *
CVE-2025-35004

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFIP command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@takeonme.org 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
microhardcorp ipn4gii-na2_firmware *
microhardcorp bulletlte-na2_firmware *
CVE-2025-35005

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFMAC command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@takeonme.org 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
microhardcorp ipn4gii-na2_firmware *
microhardcorp bulletlte-na2_firmware *
CVE-2025-35006

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFPORTFWD command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@takeonme.org 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
microhardcorp ipn4gii-na2_firmware *
microhardcorp bulletlte-na2_firmware *
CVE-2025-35007

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@takeonme.org 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
microhardcorp ipn4gii-na2_firmware *
microhardcorp bulletlte-na2_firmware *
CVE-2025-35008

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MMNAME command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@takeonme.org 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
microhardcorp ipn4gii-na2_firmware *
microhardcorp bulletlte-na2_firmware *
CVE-2025-35009

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MNNETSP command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@takeonme.org 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
microhardcorp ipn4gii-na2_firmware *
microhardcorp bulletlte-na2_firmware *
CVE-2025-35010

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MNPINGTM command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@takeonme.org 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
microhardcorp ipn4gii-na2_firmware *
microhardcorp bulletlte-na2_firmware *