CVE-2024-44383 is a command injection vulnerability identified in WAYOS FBM-291W firmware version 19.09.11. The flaw exists in the msp_info_htm component, which improperly sanitizes input parameters, allowing an attacker to inject and execute arbitrary system commands. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-supplied input is not correctly validated before being passed to system-level commands. The CVSS v3.1 base score is 8.0, reflecting high severity due to the vulnerability's characteristics: it requires low privileges (PR:L), can be exploited remotely over the network (AV:A), does not require user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation could lead to full system compromise, including data theft, system manipulation, or denial of service. No patches or official mitigations have been released at the time of publication, and no active exploitation has been reported. The vulnerability affects the specific WAYOS FBM-291W device firmware, commonly used in network infrastructure, potentially impacting enterprise and service provider environments.

The vulnerability allows remote authenticated attackers with low privileges to execute arbitrary commands on affected WAYOS FBM-291W devices, potentially leading to full system compromise. This can result in unauthorized disclosure of sensitive information, modification or destruction of data, and disruption of network services. Given the device's role in network infrastructure, exploitation could facilitate lateral movement within corporate or service provider networks, enabling attackers to escalate privileges or pivot to more critical systems. The lack of available patches increases the risk window, and organizations relying on these devices for critical network functions may face operational outages or data breaches. The high severity score underscores the significant risk to confidentiality, integrity, and availability posed by this vulnerability.

Until official patches are released, organizations should take immediate steps to mitigate risk. These include: 1) Restrict network access to the management interfaces of WAYOS FBM-291W devices, limiting exposure to trusted networks and IP addresses only. 2) Implement strict network segmentation and firewall rules to isolate vulnerable devices from untrusted or less secure network segments. 3) Monitor device logs and network traffic for unusual command execution patterns or unauthorized access attempts targeting the msp_info_htm interface. 4) Enforce strong authentication mechanisms and consider multi-factor authentication for device access to reduce the risk of credential compromise. 5) If possible, disable or restrict the vulnerable msp_info_htm functionality until a patch is available. 6) Engage with the vendor for updates and apply patches promptly once released. 7) Conduct regular vulnerability assessments and penetration testing focused on network infrastructure devices to identify and remediate similar issues proactively.