CVE-2021-45876
moderate-risk
Published 2022-03-21
Multiple versions of GARO Wallbox GLB/GTB/GTC are affected by unauthenticated command injection. The url parameter of the function module downloadAndUpdate is vulnerable to an command Injection. Unfiltered user input is used to generate code which then gets executed when downloading new firmware.
Do I need to act?
~
4.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (3)
Wallbox Gtb Firmware
Wallbox Gtc Firmware
Wallbox Glb Firmware
Affected Vendors
References (2)
Third Party Advisory
https://github.com/delikely/advisory/tree/main/GARO
Third Party Advisory
https://github.com/delikely/advisory/tree/main/GARO
49
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
8/34 · Low
Exposure
9/34 · Low