Security Experts:

Connect with us

Hi, what are you looking for?



Critical Flaws Found in NetComm Industrial Routers

An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices.

An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices.

According to an advisory published last week by ICS-CERT, NetComm 4G LTE Light industrial M2M routers running firmware version and prior are impacted by four vulnerabilities. The list includes information disclosure, cross-site scripting (XSS) and cross-site request forgery (CSRF) issues that have been assigned the CVE identifiers CVE-2018-14782 through CVE-2018-14785.

Researcher Aditya K. Sood, who has been credited for finding the vulnerabilities, told SecurityWeek that one of the security holes allows an unauthenticated attacker to access information about a device’s web server. NetComm patches critical flaws in industrial routers

A CSRF vulnerability, present due to failure to enforce a token mechanism, can be exploited by a remote attacker to perform various actions, including to change the password to the router’s web interface.

An XSS flaw is caused by the failure of the application hosted on the embedded web server to implement input filtering and sanitization.

“Any arbitrary value passed by the remote user was processed and rendered in the application. As a result, the payload passed as a value gets executed in the browser. The attacker could have stolen session information or could have executed malicious code via the NetComm router web interface,” Sood explained.

The last vulnerability is an information disclosure issue that can be exploited by an attacker to obtain details on the router’s components.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

The CSRF and XSS flaws have been classified by ICS-CERT as “critical,” while the information disclosure issues are said to be “high severity.” CSRF and XSS flaws typically require the targeted user to click on a link.

The flaws can be exploited remotely from the Internet. A search revealed the existence of hundreds of devices exposed to attacks, Sood told SecurityWeek.

“The vulnerabilities combined with other sets of attacks and specific command execution to alter the configuration could result in compromising the device at the system level,” the researcher explained.

The expert reported his findings via ICS-CERT in October 2017. NetComm appears to have released a firmware update that patches the security holes in mid-May 2018.

Related: Serious Flaws Found in Westermo Industrial Routers

Related: Severe Flaws Expose Moxa Industrial Routers to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...