Introduction When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability.

It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance. Affected versions Before version 7.1.12.2.44. Prerequisites • Local network access to the router.
• Valid administrator credentials.
PoC 1. Log in to the router’s HTTP interface.
2. Navigate to Diagnostic Tools. Both Ping and Traceroute utilities are vulnerable.
3. In the target address field, input the following payload: Any command on the router can be executed as follows:
• The command must start with a single quote, vertical bar, and another single quote: '|'
• Every space in the command must be enclosed in two single quotes: ' '

For example: Becomes: Example output: Example of pwd command injection: The whoami command returned root as the user. Conclusion The identified vulnerability permits an authenticated attacker to execute arbitrary commands with root privileges. This enables attacks such as network traffic interception or unauthorized access to sensitive router configuration data.