Security Advisory: Remote Command Execution on Netcomm NTC 6200 and NWL 222

Introduction

This is the second installment of our command injection series affecting CGI shell scripts. This time we're exploring vulnerabilities affecting Netcomm Wireless devices, now property of Lantronix. Specifically the NWL-222 also known as the "MachineLink 4G Lite" sold by Vodafone. Of course, these vulnerabilities were automatically spotted by our recently introduced bash static code analyser.

Remote Unauthenticated Code Execution

Summary

The Netcom NTC 6200 and NWL 222 series expose a web interface to be configured and set up by operators. Multiple endpoints of the web interface are vulnerable to arbitrary command injection and using insecure hardcoded passwords.

Impact

Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

Description

The Netcomm devices have multiple CGI scripts stored under /www/cgi-bin within their UBI filesystem. Six of these scripts (ssh.cgi, sms.cgi, roaminglist.cgi, rdb_tool.cgi, eth.cgi, dod.cgi) are affected by a command injection vulnerability.

‍

‍

Specifically, a qlist variable is read from the $QUERY_STRING environment variable:

‍

Then this variable is fed to a loop through read to build VAR, SEP, NAME, and VAL. So if we have a query string with "?my_variable=my_value", the script will end up with VAR set to "CGI_PARAM_my_variable=my_value", SEP set to "CGI_PARAM_my_variable my_value", NAME set to "CGI_PARAM_my_variable" and VAL set to "my_value".

Then, in an attempt to transform query string variables into actual shell variables the scripts calls eval. If the user was not malicious, eval 'CGI_PARAM_my_variable=my_value' creates the shell variable CGI_PARAM_my_variable and set its value to 'my_value'. However, feeding untrusted input to eval means arbitrary command injection.

‍

‍

This issue can be exploited with the following command:

curl -X POST -u admin:admin 'http://ip.of.device/cgi-bin/ssh.cgi?cmd=;$(id>a)'

‍

Both firmware have default accounts with hardcoded credentials (root:admin, root:bovine, admin:admin), which helps exploitation if credentials haven't been changed.

Recommendations

If you have a device belonging to the NWL-2XX product line, we recommend you upgrade your firmware as soon as Lantronix publishes a fix.

If you own an EoL device, we recommend you change default credentials everywhere (if possible) and limit the network exposure of your device.

Key Takeaways

• Static Analysis on Extracted Scripts: By unpacking firmware and running our bash analyzer on the recovered shell‐script source, we uncovered six CGI scripts on Netcomm’s NWL‐222 with eval‐driven command injection.
• Unauthenticated Root Takeover: Combining unsanitized eval on $QUERY_STRING with default credentials (e.g., root:admin) lets attackers send one HTTP request and gain root access.
• 90‐Day Disclosure Overview: Between March and June 2025, Lantronix’s firmware “fixes” (v2.1.10.0, 2.1.20.0, 2.1.21.1) still failed our re‐testing—demonstrating why vetting vendor patches yourself is essential.
• Continuous Re-Validation Is Crucial: Each firmware release must be re‐scanned. If a “patched” script still permits injection, only an automated static‐analysis pipeline will flag it immediately.
• Action for EoL vs. Supported Devices: For EoL gear, rotate default credentials or isolate the device. For active models, verify every anti‐injection claim in real time via automated vulnerability scans.
• ONEKEY’s Platform Advantage: From extracting firmware to instant SBOM generation and live patch validation, we slash MTTD and MTTR—so you catch bad fixes before adversaries do.

Timeline

• 07/03/2025 - ONEKEY sends a notification to Lantronix through Lantronix support system
• 10/03/2025 - Lantronix answers the support ticket, indicates that the report has been sent to engineering.
• 25/03/2025 - Lantronix indicates that NTC-6200 is EoL and sends us links for NWL-222 firmware versions 2.1.10.0 and 2.1.20.0, supposedly fixing the vulnerability.
• 27/03/2025 - ONEKEY indicates that versions 2.1.10.0 and 2.1.20.0 do not contain any fix for all identified vulnerabilities
• 27/04/2025 - ONEKEY requests an update and reserve CVE-2025-4010
• 27/04/2025 - Lantronix indicates that fix is on the way, scheduled to be release before the 90 days.
• 28/05/2025 - Lantronix sends a link to release 2.1.21.1 including "the improvements and encryption to address the issue raised".
• 28/05/2025 - ONEKEY indicates that the fix is insufficient and can be bypassed. Lantronix "shares [our] test result and message with the software team and will follow up once [they] receive their response."
• 02/06/2025 - End of the 90 days disclosure window. Publication.

We decided to publish even though a fix is not available yet for two reasons: the NTC-6200 and probably other EoL devices are affected and for those our policy dictates that we apply a 30 days disclosure window. Since the vulnerability was also affecting non-EoL devices like NWL-222 (and probably others) we stuck to a 90 days. While a definitive fix is still on they way, we think it's legitimate to publish now given the combination of both EoL and non-EoL devices.