Seiko Solutions SkyBridge Routers critical vulnerability exposes them to command injection

Seiko Solutions has disclosed a critical vulnerability in their SkyBridge/SkyBridge BASIC series products. SkyBridge series of routers are LTE-enabled IoT routers designed for high availability and diverse communication needs. They are suited for IoT/M2M applications and can be used in various environments, including vehicular and industrial settings.

The vulnerability, tracked as CVE-2024-32850 (CVSS score 9.8), is a command injection flaw that could allow threat actors to execute arbitrary commands with administrator privileges without needing to authenticate.

The vulnerability affects SkyBridge MB-A100/110 up to version 4.2.2 and SkyBridge BASIC MB-A130 up to version 1.5.5.

This vulnerability can be exploited if remote monitoring access from outside is enabled. In such cases, attackers could attack or destroy the systems, as well as steal or tamper with settings data. SkyBridge has released patches to address this issue.

Affected versions include:

• SkyBridge MB-A100/110 up to Ver. 4.2.2
• SkyBridge BASIC MB-A130 up to Ver. 1.5.5

The versions that are not affected include:

• SkyBridge MB-A100/110 Ver. 4.2.3 and later
• SkyBridge BASIC MB-A130 Ver. 1.5.7 and later

Users should upgrade their firmware to the latest versions as specified in the SkyBridge security advisory. If upgrading is not immediately possible, the following workarounds are recommended:

• Disable remote monitoring and control functions.
• Enable authentication or encryption in remote monitoring and control functions.
• Use a closed network line that is not connected to the Internet.

For more detailed instructions and to download the latest firmware updates, users should refer to the SkyBridge security advisory (in Japanese)