Task 1 of 4

The Router That Let Strangers Run Commands on Your Network

In 2021, researchers discovered that Netgear routers — sitting in millions of homes and offices — had a command injection vulnerability in their web management interface. The router's ping diagnostic tool took a hostname from the user and passed it to the operating system without checking it. Entering a specially crafted hostname caused the router to execute attacker-supplied commands with full root privileges.

No login required on some models. Anyone on the same network — or in some cases, anyone on the internet — could take complete control of the router. Change DNS settings to redirect traffic. Intercept traffic. Pivot to devices on the home network.

COMMAND INJECTION HAS HIT CRITICAL INFRASTRUCTURE
Netgear Routers — 2021
Ping tool in web interface. Input passed to OS without filtering. Root access to millions of home routers.
Citrix ADC (CVE-2019-19781)
Network appliance used by thousands of enterprises. Command injection allowed unauthenticated RCE. Exploited within days of disclosure.
F5 BIG-IP (CVE-2020-5902)
Load balancer management interface. Command injection gave full system access. NHS, banks, and government agencies affected.
SolarWinds Orion — 2020
Build process compromised. Malicious commands injected into software updates. 18,000 organisations infected including US government.

Why it is so severe

SQL injection talks to the database. XSS runs in a user's browser. Command injection runs on the server's operating system — with the same permissions as the web application itself. On many servers, that means full access to everything: files, users, network connections, other services. It is the closest thing to a master key.

1

Command injection runs on the server's operating system. Why is this more severe than SQL injection?

Answer all 1 question to continue