CVE-2024-45242 is an OS command injection vulnerability identified in EnGenius ENH1350EXT A8J-ENH1350EXT wireless access points running firmware versions through 3.9.3.2_c1.9.51. The vulnerability arises from insufficient input sanitization in the Ping and Speed Test utilities, which accept user-supplied input that is passed to the underlying operating system shell. Attackers can inject shell metacharacters to execute arbitrary commands on the device. The attack vector is local, requiring proximity to the device's Wi-Fi network during its initial setup phase. At this time, the device creates an open, unsecured wireless network and the administrative interface is accessible with default credentials (admin/admin). This setup window allows an attacker to connect without authentication and exploit the command injection flaw to gain root-level access. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CVSS v3.1 base score is 7.8, reflecting high severity due to the potential for full system compromise, including confidentiality breaches, integrity violations, and denial of service. No patches or exploit code are currently publicly available, but the risk remains high given the ease of exploitation during the setup phase and the critical privileges obtained. Organizations deploying these devices should be aware of the risk window and take immediate steps to secure or replace affected units.

The impact of CVE-2024-45242 is significant for organizations using EnGenius ENH1350EXT devices. An attacker within Wi-Fi range can exploit the vulnerability during the device's initial setup phase to execute arbitrary commands with root privileges. This can lead to full device compromise, allowing attackers to intercept or manipulate network traffic, deploy persistent malware, pivot into internal networks, or cause denial of service by disrupting device functionality. The exposure of default credentials and an open network during setup increases the attack surface, making it easier for attackers to gain initial access. Organizations relying on these devices for wireless connectivity, especially in sensitive environments such as corporate offices, educational institutions, or critical infrastructure, face risks to data confidentiality, network integrity, and operational availability. The vulnerability also poses risks to supply chain security if these devices are used in managed service provider environments or multi-tenant networks.

To mitigate CVE-2024-45242, organizations should implement the following specific measures: 1) Immediately update affected devices to a patched firmware version once available from EnGenius. Monitor vendor advisories closely for patch releases. 2) During initial setup, avoid connecting to the device's open network from untrusted locations or devices. Perform setup in a physically secure environment to prevent unauthorized access. 3) Change default administrative credentials (admin/admin) immediately after setup to strong, unique passwords to prevent unauthorized login. 4) Disable or restrict access to the Ping and Speed Test utilities if possible, or apply input validation controls to prevent command injection. 5) Segment the wireless network used for device setup from production networks to limit attacker lateral movement. 6) Employ network monitoring to detect unusual command execution or administrative access patterns on these devices. 7) Consider replacing affected devices with models not vulnerable to this issue if timely patching is not feasible. 8) Educate IT staff on the risks of default credentials and unsecured setup networks to improve operational security practices.