Impact
The flaw exists in the setTools function of /bin/netis.cgi on Netcore Power 15AX devices. An attacker can manipulate the IpAddr operating‑system commands, enabling remote command execution. This weakness aligns with OS Command Injection (CWE‑77) and Improper Neutralization of Special Elements used in an OS Command (CWE‑78).
Affected Systems
Firmware versions of Netcore Power 15AX up to and including 3.0.0.6938 are affected. Any device running these images is susceptible, particularly when the Diagnostic Tool Interface is reachable over the network.
Risk and Exploitability
The CVSS score of 8.7 reflects high severity, while the EPSS score of 8% reflects a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Remote attackers can target the exposed /bin/netis.cgi endpoint over the network to achieve full control of the device.
OpenCVE Enrichment