Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 19 Sep 2024
Last updated: 19 Sep 2024

Content written for

Individuals & families
Small & medium business
Large organisations & infrastructure
Government

Attachments

On this page

Summary

The Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA) assess that People's Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a "botnet") positioned for malicious activity. The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted U.S. networks.

Integrity Technology Group, a PRC-based company, has controlled and managed a botnet active since mid-2021. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices. Victim devices part in the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia.

While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors.

FBI, CNMF, NSA, and allied partners are releasing this Joint Cyber Security Advisory to highlight the threat posed by these actors and their botnet activity and to encourage exposed device vendors, owners, and operators to update and secure their devices from being compromised and joining the botnet. Network defenders are advised to follow the guidance in the mitigations section to protect against the PRC-linked cyber actors' botnet activity. Cyber security companies can also leverage the information in this advisory to assist with identifying malicious activity and reducing the number of devices present in botnets worldwide.

For additional information, see U.S. Department of Justice (DOJ) press release.

Technical details

Attribution

Integrity Technology Group (Integrity Tech) is a company based in the PRC with links to the PRC government. Integrity Tech has used China Unicom Beijing Province Network IP addresses to control and manage the botnet described in this advisory.

In addition to managing the botnet, these same China Unicom Beijing Province Network IP addresses were used to access other operational infrastructure employed in computer intrusion activities against U.S. victims. FBI has engaged with multiple U.S. victims of these computer intrusions and found activity consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and these may not be a 1:1 correlation to the U.S. Government’s methodology and understanding for all activity related to these groupings.

Botnet command and control

As with similar botnets, this botnet infrastructure is comprised of a network of devices, known as “bots”, which are infected with a type of malware that provides threat actors with unauthorized remote access. A functioning botnet can be used for a variety of purposes, including malware delivery, distributed denial of service (DDoS) attacks, or routing nefarious Internet traffic.

The botnet uses the Mirai family of malware, designed to hijack IoT devices such as webcams, DVRs, IP cameras, and routers running Linux-based operating systems. The Mirai source code was posted publicly on the Internet in 2016, resulting in other hackers creating their own botnets based on the malware. Since that time, various Mirai botnets have been used to conduct DDoS and other malicious activities against victim entities within the United States.

The investigated botnet's customized Mirai malware is a component of a system that automates the compromise of a variety of devices. To recruit a new "bot," the botnet system first compromises an Internet-connected device using one of a variety of known vulnerability exploits (see Appendix B: Observed CVEs). Post-compromise, the victim device executes a Mirai-based malware payload from a remote server. Once executed, the payload starts processes on the device to establish a connection with a command-and-control (C2) server using Transport Layer Security (TLS) on port 443. The processes gather system information from the infected device, including but not limited to the operating system version and processor, memory and bandwidth details to send to the C2 server for enumeration purposes. The malware also makes requests to "c.speedtest.net," likely to gather additional Internet connection details. Some malware payloads were self-deleting to evade detection.

A variety of subdomains of "w8510.com" were linked to the botnet's C2 servers. As of September 2024, investigators identified over 80 subdomains associated with w8510.com (see Appendix A: Indicators of Compromise).

Botnet management

A tier of upstream management servers using TCP port 34125 manage the botnet's C2 servers. These management servers host a MySQL database which stored information used for the control of the botnet. As of June 2024, this database contained over 1.2 million records of compromised devices, including over 385,000 unique U.S. victim devices, both previously and actively exploited.

The management servers hosted an application known as “Sparrow” which allows users to interact with the botnet. The actors used specific IP addresses registered to China Unicom Beijing Province Network to access this application, including the same IP addresses previously used by Flax Typhoon to access the systems used in computer intrusion activities against U.S.-based victims.

The code for the Sparrow application, stored within a Git repository, defines functions that allow registered users to manage and control the botnet and C2 servers, sending tasks to victim devices including DDoS and exploitation commands to grow the botnet. Sparrow also contains functionality providing device vulnerability information to users. A subcomponent called "vulnerability arsenal" also allows users to exploit traditional computer networks through the victim devices in the botnet.

Compromised device distribution

The following tables approximate the count of devices compromised by the botnet system as of June 2024, by location and by processor architecture. There were at least 50 different Linux operating system versions found among botnet nodes. Based on the operating system versions of the nodes, infected systems include devices that ceased receiving support as early as 2016 to devices that are currently supported. Affected devices were running Linux kernel versions 2.6 through 5.4.

Table 1: Botnet devices per country
CountryNode CountPercentage
United States126,00047.9%
Vietnam21,1008.0%
Germany18,9007.2%
Romania9,6003.7%
Hong Kong9,4003.6%
Canada9,2003.5%
South Africa9,0003.4%
United Kingdom8,5003.2%
India5,8002.2%
France5,6002.1%
Bangladesh4,1001.6%
Italy4,0001.5%
Lithuania3,3001.3%
Albania2,8001.1%
Netherlands2,7001.0%
China2,6001.0%
Australia2,4000.9%
Poland2,1000.8%
Spain2,0000.8%
Table 2: Botnet devices per continent
ContinentNode CountPercentage
North America135,30051.3%
Europe65,60024.9%
Asia50,40019.1%
Africa9,2003.5%
Oceania2,4000.9%
South America8000.3%
Table 3: Botnet devices by processor architecture
Processor ArchitectureNode CountPercentage
x86236,00089.2%
MIPS21,4008.1%
ARM3,9001.5%
x86_641,9000.7%
MIPSEL1,4000.5%

Recommended mitigations

The FBI recommends network defenders take the following actions to mitigate threats posed by adversaries attempting to use botnets for malicious cyber activity. The following guidance applies both to preventing IoT devices from becoming part of a botnet, as well as to defending networks from botnets already in operation.

  • Disable unused services and ports such as automatic configuration, remote access or file sharing protocols. Routers and IoT devices may provide features such as Universal Plug and Play (UPnP), remote management options and file sharing services, which threat actors may abuse to gain initial access or to spread malware to other networked devices. Disable these features if not needed.
  • Implement network segmentation to ensure IoT devices within a larger network pose known, limited, and tolerable risks. Use the principle of least privilege to provide devices with just enough connectivity needed to perform their intended function.
  • Monitor for high network traffic volume. Since DDoS attacks originating from botnets may at first appear similar to normal traffic, it is critical for organizations to define, monitor and prepare for abnormal traffic volumes. Monitoring is possible via firewalls or intrusion detection systems. Some network solutions such as proxies may mitigate DDoS incidents.
  • Apply patches and updates, including software and firmware updates. Regular patching mitigates many high-risk security vulnerabilities. If available, take advantage of automatic update channels from trusted network locations. Do not trust email messages claiming to provide software updates as attachments or via links to untrusted websites.
  • Replace default passwords with strong passwords. Many IoT products implement a device administration password in addition to other account passwords. Ensure all passwords are changed from their defaults, using a strong password policy. If possible, disable password hints.
  • Plan for device reboots. Rebooting a device terminates all running processes, which may remove specific types of malware, such as "fileless" malware that runs in the host’s memory. As a reboot may disrupt legitimate activity, users may need to prepare for service interruptions. Some devices provide scheduled reboot features, enabling reboots to occur at preferred times. If a compromised device fails to respond to reboot commands issued remotely, reboot physically.
  • Replace end-of-life equipment with devices that remain in respective vendor support plans.

Disclaimer

The information in this report is being provided "as is" for informational purposes only. The authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.

Appendix A: Indicators of compromise

The following listed domain names were observed subdomains of "w8510.com", the observed command-and-control system domain.

Table 4: List of w8510.com subdomains
DomainIP AddressLast Seen
acqv.w8510.com208.85.16.1008/29/2024
aewreiuicajo.w8510.com45.77.231.2099/1/2024
apdfhhjcxcb.w8510.com139.180.137.2198/31/2024
asdvxzzxvza.w8510.com45.135.117.1319/3/2024
awbpxtpi.w8510.com155.138.151.2259/3/2024
bzbatflwb.w8510.com45.77.231.2099/3/2024
cansqra.w8510.com222.186.48.2018/22/2023
canwtrow.w8510.com222.186.48.20410/7/2023
cccasdqawer.w8510.com92.38.185.459/3/2024
ccccasdasdq.w8510.com85.90.216.1159/3/2024
cccvbsdfsdf.w8510.com195.234.62.1979/3/2024
ccmmkmnkna.w8510.com85.90.216.699/3/2024
cpooooim.w8510.com85.90.216.1109/3/2024
dftiscasdwe.w8510.com207.148.122.699/2/2024
dvasrdftqgqg.w8510.com45.10.58.1299/3/2024
iiiiopasdfcasd.w8510.com92.38.185.469/3/2024
iikljhg.w8510.com85.90.216.1169/3/2024
iuyrdfvv.w8510.com45.10.58.1339/3/2024
iyasdasfda.w8510.com195.234.62.1849/1/2024
kliscjaisdjhi.w8510.com149.248.51.229/4/2024
lkljjhidjaiwd.w8510.com37.61.229.159/3/2024
lkopiyut.w8510.com5.181.27.2199/3/2024
lyblqwesfawe.w8510.com78.141.238.978/28/2024
mjiudwajhkf.w8510.com45.77.231.2099/3/2024
mmjkjiu.w8510.com92.38.185.439/3/2024
mmnajsdh.w8510.com37.9.35.919/1/2024
mnbghjj.w8510.com45.92.70.719/2/2024
ocmnusdjdik.w8510.com139.180.137.2199/2/2024
oiuiasdads.w8510.com195.234.62.1889/3/2024
plllkkoasdko.w8510.com195.234.62.1989/3/2024
poiaqqrjk.w8510.com195.234.62.1929/3/2024
pojkkaka.w8510.com45.10.58.1309/3/2024
poooooiioasd.w8510.com37.61.229.179/3/2024
ppppoiiua.w8510.com92.38.185.449/3/2024
qacassdfawemp.w8510.com155.138.133.569/4/2024
qmmklou.w8510.com45.92.70.689/3/2024
qwertdvvaaz.w8510.com45.135.117.1369/3/2024
ssacawfafwa.w8510.com45.10.58.1329/3/2024
testate.w8510.com207.148.68.1318/30/2024
testateone.w8510.com108.61.177.819/3/2024
tuisasdcxzd.w8510.com78.141.238.978/29/2024
uqooapp.w8510.com85.90.216.1129/3/2024
uuiyiyasd.w8510.com92.38.185.479/3/2024
wmllxwkg.w8510.com45.77.231.2099/3/2024
zasdfgasd.w8510.com65.20.97.2519/3/2024
zda4g4.w8510.com91.216.190.1549/3/2024
zda896.w8510.com45.13.199.1529/3/2024
zda9ol.w8510.com91.216.190.2479/3/2024
zdaaac.w8510.com5.181.27.69/1/2024
zdaasdafq.w8510.com45.80.215.1569/3/2024
zdabnv.w8510.com23.236.68.1619/3/2024
zdacasc.w8510.com45.80.215.1509/2/2024
zdacasdc.w8510.com195.234.62.199/3/2024
zdacawca.w8510.com45.13.199.848/28/2024
zdacccz.w8510.com5.181.27.218/23/2024
zdacppao.w8510.com45.13.199.1409/2/2024
zdacscswc.w8510.com89.44.198.1958/30/2024
zdacvb.w8510.com23.236.69.1109/3/2024
zdacvbzzs.w8510.com45.13.199.1049/3/2024
zdacwaca.w8510.com45.80.215.1539/2/2024
zdacwrf.w8510.com45.92.70.1119/1/2024
zdacx46.w8510.com23.236.68.2138/24/2024
zdacxdawdas.w8510.com45.13.199.458/28/2024
zdacxzd.w8510.com89.44.198.2009/2/2024
zdaczcaaw.w8510.com45.80.215.1518/30/2024
zdaczcvs1.w8510.com92.38.176.1567/22/2024
zdaczsc.w8510.com45.92.70.1138/13/2024
zdaczvs.w8510.com45.80.215.1499/2/2024
zdaczxc1.w8510.com23.236.68.1939/4/2024
zdafaa.w8510.com91.216.190.749/3/2024
zdamkl.w8510.com5.181.27.199/2/2024
zdaplm.w8510.com45.92.70.1158/28/2024
zdapoi.w8510.com45.80.215.1529/2/2024
zdapoq.w8510.com45.13.199.969/2/2024
zdaqggh.w8510.com23.236.69.829/1/2024
zdaqwfasf.w8510.com45.92.70.1128/31/2024
zdavva.w8510.com195.234.62.188/27/2024
zdaxcxzc.w8510.com91.216.190.809/2/2024
zdazzz.w8510.com45.13.199.2078/29/2024
zdcacaw.w8510.com45.80.215.1558/31/2024
zdcawca.w8510.com45.80.215.1548/25/2024
zdpoa.w8510.com89.44.198.2549/3/2024
zdpog.w8510.com45.80.215.479/3/2024
zdqqqqwe.w8510.com91.216.190.29/2/2024
zdzvbs.w8510.com23.236.68.2299/3/2024
zzxnjiq.w8510.com85.90.216.1119/3/2024
zzzcmsq.w8510.com5.45.184.689/2/2024

Appendix B: Observed CVEs

Integrity Tech relied on the following vulnerabilities to acquire new botnet victims and allow botnet users to exploit further victims through the compromised botnet devices.

CVEVendorProductVersions affectedVulnerability type
CVE-2024-5217ServiceNowNow PlatformWashington DC, Vancouver, and earlier Now Platform releasesRCE
CVE-2024-4577PHP GroupPHPPHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on WindowsOS command injection
CVE-2024-29973Zyxel

NAS326

NAS542

NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0OS command injection
CVE-2024-29269TelesquareTLR-2005Ksh1.0.0 and 1.1.4Arbitrary system commands
CVE-2024-21762FortinetFortiOSFortiOS 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17,RCE
FortiProxyFortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7
CVE-2023-50386ApacheSolr6.0.0 through 8.11.2, 9.0.0 before 9.4.1Unrestricted file upload
CVE-2023-47218QNAPQTS
QuTS hero
QuTScloud		QTS 5.1.x before 5.1.5.2645 build 20240116,
QuTS hero h5.1.x before h5.1.5.2647 build 20240118,
QuTScloud c5.x before c5.1.5.2651		OS command injection
CVE-2023-46747F5F5 Big-IPBig-IP (all modules) 17.1.0-17.1., 16.1.0-16.1.4, 15.1.0-15.1.10, 14.1.0-14.1.5,13.1.0-13.1.5Authentication bypass
CVE-2023-46604ApacheApache ActiveMQbefore 5.15.16, 5.16.7, 5.17.6, or 5.18.3RCE
CVE-2023-43478TelstraSmart Modem Gen 2Firmware versions  before 0.18.15rCode execution as root
CVE-2023-4166Tongda OATongda200011.10SQL injection
CVE-2023-38646MetabaseMetabase and Metabase  EnterpriseMetabase before 0.46.6.1, Metabase Enterprise before 1.46.6.1Arbitrary command execution 
CVE-2023-3852OpenRapidYuque RapidCMSUp to version 1.3.1Arbitrary file upload
CVE-2023-38035IvantiMobileIron Sentry (MICS Admin Portal)9.18.0 and belowAuthentication bypass
CVE-2023-37582ApacheRocketMQ5.1.1Remote command execution
CVE-2023-36844JuniperJuniper Junos20.4, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4PHP external variable modification
CVE-2023-36542ApacheApache NiFi0.0.2 through 1.22.0Code injection
CVE-2023-35885CloudPanelCloudPanel 2before 2.3.1Insecure file-manager cookie authentication
CVE-2023-35843NocoDBNocoDBThrough 0.106.0 (or 0.109.1)Path traversal
CVE-2023-3519CitrixNetscaler Gateway, Application Delivery Controller (ADC)12.1-NDcPP before 55.297, 12.1-FIPS before 55.297, 13.1-FIPS before 37.159, 13.0 before 91.13, 13.1 before 49.13Unauthenticated remote code execution
CVE-2023-35081IvantiEndpoint Manager Mobile (EPMM)11.10x<11.10.0.3, 11.9x<11.91.2, and 11.8<11.8.12Path traversal
CVE-2023-34960ChamiloChamilov1.11.* up to v1.11.18Command injection
CVE-2023-34598GibboneduGibbon25.0.00Local File Inclusion (LFI) vulnerability
CVE-2023-3368ChamiloChamilo LMS<= v1.11.20Command injection leading to remote code execution (RCE)
Bypass of CVE-2023-34960
CVE-2023-33510WordPressJeecg P3 Bix ChatJeecg P3 Biz Chat Project Jeecg P3 Biz Chat 1.0.5Allows remote attackers to read arbitrary files
CVE-2023-30799MikroTikMikroTik RouterOSStable before 6.49.7 and long-term through 6.48.6Privilege escalation
CVE-2023-28771ZyxelZyWALL/USG seriesZyWALL/USG ZLD 4.60 to 4.73, VPN ZLD 4.60 to 5.35, USG FLEX ZLD 4.60 to 5.35, ATP ZLD 4.60 to 5.35OS command injection
CVE-2023-28365UbiquitiUI UniFi7.3.83 and earlierBackup file vulnerability
CVE-2023-27997FortinetFortiOSFortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and belowBuffer overflow 
FortiProxyFortiProxy 7.2.3 and below, 7.0.9 and below, 2.0.12 and below, 1.2 all versions, 1.1 all versions
CVE-2023-27524ApacheApache SupersetVersions up to and including 2.0.1.Authenticate and access unauthorized resources
CVE-2023-26469JoraniJorani1.0.0Path traversal to RCE
CVE-2023-25690ApacheApache HTTP Server2.4.0 through 2.4.55HTTP request smuggling
CVE-2023-24229DrayTekVigor2960Firmware v1.5.1.4
No longer supported by maintainer		Command injection
CVE-2023-23333ContecSolarView CompactFirmware through 6.00Command injection
CVE-2023-22527ConfluenceData Center and Server< 8.5.5 (LTS)
< 8.7.2 (Data Center Only)		Template injection leading to RCE
CVE-2023-22515ConfluenceData Center and Server>=8.0.0, >= 8.1.0, >=8.2.0, >=8.30 to <8.3.3, >=8.4.0 to <8.4.3, >=8.5.0 to <8.5.2Privilege escalation
CVE-2022-42475FortinetFortiOSFortiOS SSL-VPN 7.2.0 through 7.22, 7.00 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.211, 6.0.15 and earlierBuffer overflow 
FortiProxyFortiProxy SSL VPN 7.2.0 through 7.2.1, 7.0.7 and earlier.
CVE-2022-40881ContecSolarView CompactFirmware 6.00Command injection
CVE-2022-3590WordPress  WordPressWordPress 4.1Unauthenticated blind SSRF in the pingback feature
CVE-2022-31814NetgatepfSense pfBlockerNGThrough 2.1.4_26OS command injection
CVE-2022-30525ZyxelUSG FLEX, ATP, and VPN series firmwareUSG FLEX 100(W)/200/500/700 ZLD 5.00 through 5.21 Patch 1, USG FLEX 50(W)/USG20(W)-VPN ZLD 5.10 through 5.21 Patch 1, ATP series ZLD 5.10 through 5.21 Patch 1, 
VPN series ZLD 4.60 through 5.21 Patch 1		OS command injection
CVE-2022-26134AtlassianConfluence Data Center7.18.0OGNL Injection
Confluence server
CVE-2022-20707CiscoSmall Business Series RoutersRV160, RV260, RV340, and RV345RCE
CVE-2022-1388F5BIG-IP16.1.x versions prior to 16.1.2.2, 
15.1.x versions prior to 15.1.5.1, 
14.1.x versions prior to 14.1.4.6, 
13.1.x versions prior to 13.1.5, 
all 12.1.x and 11.6.x versions		Authentication bypass
CVE-2021-46422TelesquareSDT-CW3B11.1.0OS command injection
CVE-2021-45511NETGEARNETGEARAC2100 before 2021-08-27,
AC2400 before 2021-08-27,
AC2600 before 2021-08-27,
D7000 before 2021-08-27,
R6220 before 2021-08-27,
R6230 before 2021-08-27,
R6260 before 2021-08-27,
R6330 before 2021-08-27,
R6350 before 2021-08-27,
R6700v2 before 2021-08-27,
R6800 before 2021-08-27,
R6850 before 2021-08-27,
R6900v2 before 2021-08-27,
R7200 before 2021-08-27,
R7350 before 2021-08-27,
R7400 before 2021-08-27,
R7450 before 2021-08-27		Authentication bypass 
CVE-2021-44228ApacheLog4j22.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1)Input validation code execution
CVE-2021-36260Hikvision Web servers firmwareVarious DS-2CD, DS-2X, DS-2DY, PTZ-N, DS-2DF, DS-2TD, IDS, DS-76, DS-71 Command injection
CVE-2021-28799QNAP Systems Inc.Hybrid Backup Sync (HBS) 3versions prior to v16.0.0415 on QTS 4.5.2; 
versions prior to v3.0.210412 on QTS 4.3.6; 
versions prior to v3.0.210411 on QTS 4.3.4; 
versions prior to v3.0.210411 on QTS 4.3.3; 
versions prior to v16.0.0419 on QuTS hero h4.5.1; 
versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4		Improper authorization
CVE-2021-20090

Buffalo 

Arcadyan

Buffalo WSR

Arcadyan firmware

WSR-2533DHPL2 firmware version <= 1.02,
WSR-2533DHP3 firmware version <= 1.24		Path traversal
CVE-2021-1473CiscoSmall Business RV Series RoutersRV340/RV340W, RV345/RV345P before 1.0.03.21OS command injection
CVE-2021-1472CiscoSmall Business Series Routers firmwareRV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345PArbitrary code execution
CVE-2020-8515DrayTek VigorVigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, 1.4.4_BetaRCE
CVE-2020-4450IBMWebSphere Application Server8.5 and 9.0 traditionalArbitrary code execution
CVE-2020-35391TendaTenda F3 FirmwareTenda F3 Firmware 12.01.01.48Forced browsing
CVE-2020-3452Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) SoftwareASA <9.6.4.42, <9.8.4.20, <9.9.2.74, <9.10.1.42, <9.12.3.12, <9.13.1.10, <9.14.1.10
FTD <6.2.3.16, <6.3.0.6, <6.4.0.10, <6.5.05, <6.6.0.1		Path traversal
CVE-2020-3451CiscoSmall Business Series Routers FirmwareRV340W, 
RV340, 
RV345,
RV345P		Multiple Security Vulnerabilities – like Buffer overflow via environment variables, server side include (SSI) injection 
CVE-2020-15415DrayTek Vigor Firmware3900, 2960, and 300bCommand injection
CVE-2019-7256Linear eMergeE3-SeriesNortekcontrol Linear Emerge Essential Firmware
Nortekcontrol Linear Emerge Elite Firmware		Command injection
CVE-2019-19824TOTOLINK Realtek SDK based routersA3002Ru through 2.0.0, A702R through 2.1.3, N301Rt through 2.16, N302R through 3.4.0, N300Rt through 3.4.0, N200Re through 4.0.0, N150Rt through 3.4.0, N100Re through 3.4.0, N302RE through 2.0.2OS command injection
CVE-2019-17621D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 DIR-818Lx Bx <=v2.05b03_Beta08, DIR-822 Bx <=v2.03b01, DIR-822 Cx <=v3.12b04, DIR-823 Ax <=v1.00b06_Beta, DIR-859 Ax <=v1.06b01Beta01, DIR-868L Ax <=v1.12b04, DIR-868L Bx <=v2.05b02, DIR-869 Ax <=v1.03b02Beta02, DIR-880L Ax <=v1.08b04, DIR-890L/R Ax <=v1.11b01_Beta01, DIR-885L/R Ax <=v1.12b05, DIR-895L/R Ax <=v1.12b10 OS command injection related to UPnP service
CVE-2019-12168Four-Faith Four-Faith Wireless Mobile Router F3x24Firmware 1.0RCE via command shell 
CVE-2019-11829Microsoft Windows 10 
Server 2016		Server 2016
1607
1703		OS command injection
CVE-2018-18852Cerio 

Cerio Dt-300N Firmware

Cerio Dt-300n

DT-300N 1.1.6 through 1.1.12 devicesOS command injection
CVE-2017-7876QNAPQTS  QTS 4.2.6 before build 20170517, QTS 4.3.3.0174 before build 20170503Command injection 
CVE-2015-7450IBMTivoli Common Reporting3.1.0.2, 3.1, 3.1.2, 3.1.2.1, 2.1, 2.1.1.2, 3.1.0.1, 2.1.1, Code injection
Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it