Home

Description

Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.

PUBLISHED Reserved 2025-07-24 | Published 2025-12-31 | Updated 2026-01-02 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

1.5.x
affected

Credits

Provensec finder

References

blog.xlab.qianxin.com/large-scale-botnet-airashi-en/ exploit

packetstorm.news/files/id/132149 exploit

www.gargoyle-router.com/ product

blog.xlab.qianxin.com/large-scale-botnet-airashi-en/ technical-description

www.vulncheck.com/...s-command-execution-via-run-commands-sh third-party-advisory

cve.org (CVE-2015-10145)

nvd.nist.gov (CVE-2015-10145)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.