Authenticated Command Injection Vulnerability Discovered In RaspAP: CVE-2021-33358 / CX-2021-4796


Severity: 9.9 - Critical Severity

Advisory Timeline Summary
RaspAP prior to version 2.6.6 is vulnerable to Authenticated Command Injection.


RaspAP prior to 2.6.6


An unauthenticated attacker can execute arbitrary OS commands on any RaspAP instance prior tp 2.6.6. This can be chained with a privilege escalation exploit (CVE-2021-33356) to achieve root access.

Steps To Reproduce

  1. After authenticating, send the following POST request to the RaspAP host:
POST /hostapd_conf HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 355
Origin: http://localhost
Authorization: Basic YWRtaW46c2VjcmV0
Connection: close
Referer: http://localhost/hostapd_conf
Cookie: PHPSESSID=j99hb7n50dp4d26no5ccnjhf2o
Upgrade-Insecure-Requests: 1


The injectable parameters are “interface”, “ssid” and “wpa_passphrase”.

Expected Result:

The request will write empty files to /tmp/checkinterface, /tmp/checkssid and /tmp/checkpass.


This issue was fixed in version 2.6.6 through the commit.


Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High


This issue was discovered and reported by Checkmarx Security Researcher Omri Inbar.


  1. Commit (cae2031)