CVE-2013-10049 PUBLISHED

Raidsonic NAS Devices Unauthenticated Remote Command Execution

Assigner: VulnCheck
Reserved: 01.08.2025 Published: 01.08.2025 Updated: 06.08.2025

An OS command injection vulnerability exists in multiple Raidsonic NAS devices—specifically tested on IB-NAS5220 and IB-NAS4220—via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone parameter of a POST request, allowing remote attackers to inject arbitrary shell commands.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Raidsonic Technology GmbH
Product	IB-NAS5220
Versions	Default: unaffected Version * is affected

Vendor	Raidsonic Technology GmbH
Product	IB-NAS4220
Versions	Default: unaffected Version * is affected

Credits

Michael Messner finder

References

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE

Impacts

CAPEC-88 OS Command Injection