VU#123336: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J
A command injection vulnerability has been identified in the Wi-Fi Test Suite, a tool developed by the WiFi Alliance, which has been found deployed on Arcadyan routers. The Wi-Fi Test Suite was originally created to support certification programs and device certification, but not for use in production environments. However, it has been discovered in commercial router deployments, exposing a vulnerability in the test code. The vulnerability allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges. An attacker can exploit this vulnerability to gain full administrative control over the affected device. With this access, the attacker can modify system settings, disrupt critical network services, or reset the device entirely. The CERT/CC recommends that vendors update the Wi-Fi Test Suite to version 9.0 or later, or remove it entirely from production devices to reduce the risk of exploitation. The vulnerability has been assigned the identifier CVE-2024-41992. The CERT/CC acknowledges the reporter Noam Rathaus from SSD Disclosure for identifying the vulnerability. The recommended solution is intended to prevent service interruptions, compromise of network data, and potential loss of service for all users dependent on the affected network.