Security Experts:

Connect with us

Hi, what are you looking for?



Critical Flaws Found in NetComm Industrial Routers

An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices.

An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices.

According to an advisory published last week by ICS-CERT, NetComm 4G LTE Light industrial M2M routers running firmware version and prior are impacted by four vulnerabilities. The list includes information disclosure, cross-site scripting (XSS) and cross-site request forgery (CSRF) issues that have been assigned the CVE identifiers CVE-2018-14782 through CVE-2018-14785.

Researcher Aditya K. Sood, who has been credited for finding the vulnerabilities, told SecurityWeek that one of the security holes allows an unauthenticated attacker to access information about a device’s web server. NetComm patches critical flaws in industrial routers

A CSRF vulnerability, present due to failure to enforce a token mechanism, can be exploited by a remote attacker to perform various actions, including to change the password to the router’s web interface.

An XSS flaw is caused by the failure of the application hosted on the embedded web server to implement input filtering and sanitization.

“Any arbitrary value passed by the remote user was processed and rendered in the application. As a result, the payload passed as a value gets executed in the browser. The attacker could have stolen session information or could have executed malicious code via the NetComm router web interface,” Sood explained.

The last vulnerability is an information disclosure issue that can be exploited by an attacker to obtain details on the router’s components.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

The CSRF and XSS flaws have been classified by ICS-CERT as “critical,” while the information disclosure issues are said to be “high severity.” CSRF and XSS flaws typically require the targeted user to click on a link.

The flaws can be exploited remotely from the Internet. A search revealed the existence of hundreds of devices exposed to attacks, Sood told SecurityWeek.

“The vulnerabilities combined with other sets of attacks and specific command execution to alter the configuration could result in compromising the device at the system level,” the researcher explained.

The expert reported his findings via ICS-CERT in October 2017. NetComm appears to have released a firmware update that patches the security holes in mid-May 2018.

Related: Serious Flaws Found in Westermo Industrial Routers

Related: Severe Flaws Expose Moxa Industrial Routers to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet