CVE-2024-36060 is a remote OS command injection vulnerability identified in the EnGenius EnStation5-AC A8J-ENS500AC wireless networking device firmware version 1.0.0. The vulnerability arises from improper input sanitization of the Ping and Speed Test parameters, which accept user-supplied input containing shell metacharacters. An attacker can craft malicious input that is passed directly to the underlying operating system shell, enabling execution of arbitrary commands without authentication or user interaction. This type of injection corresponds to CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability is exploitable remotely over the network (Attack Vector: Adjacent Network), with low attack complexity and no privileges required. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. Successful exploitation could allow an attacker to take full control of the device, manipulate network traffic, exfiltrate sensitive data, or disrupt network operations. Although no patches or official fixes have been released yet, the vulnerability has been publicly disclosed and assigned a CVE identifier. No known exploits have been reported in the wild to date, but the risk remains significant due to the ease of exploitation and critical nature of the affected devices in network infrastructure.

The impact of CVE-2024-36060 is severe for organizations relying on EnGenius EnStation5-AC devices, particularly in wireless network deployments. Exploitation can lead to complete device compromise, allowing attackers to execute arbitrary commands with system-level privileges. This could result in unauthorized access to internal networks, interception or manipulation of network traffic, deployment of malware or ransomware, and disruption of wireless connectivity. Confidentiality is at risk due to potential data exfiltration, integrity is compromised by possible unauthorized configuration changes or data tampering, and availability is threatened by denial-of-service conditions or device bricking. Organizations with critical infrastructure, such as telecommunications providers, government agencies, and enterprises with extensive wireless networks, face heightened risk. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation if devices are exposed to untrusted networks.

1. Immediately isolate affected EnGenius EnStation5-AC devices from untrusted networks or restrict access to trusted management networks only. 2. Disable or restrict access to the Ping and Speed Test functionalities if possible via device configuration to reduce attack surface. 3. Monitor network traffic for unusual or suspicious requests targeting the vulnerable parameters. 4. Implement network-level protections such as firewall rules or intrusion detection/prevention systems to block malicious payloads containing shell metacharacters. 5. Regularly audit device configurations and logs for signs of compromise or exploitation attempts. 6. Engage with EnGenius support or vendors to obtain firmware updates or patches as soon as they become available. 7. Consider deploying compensating controls such as network segmentation and multi-factor authentication for device management interfaces. 8. Educate network administrators about the vulnerability and enforce strict change management and monitoring practices. 9. If possible, replace vulnerable devices with alternative hardware that is not affected or has timely security updates. 10. Maintain an incident response plan tailored to network device compromises to quickly contain and remediate any exploitation.