PatchSiren cyber security CVE debrief

CVE-2015-6024 Netcommwireless CVE debrief

CVE-2015-6024 is a critical command-injection issue in NetCommWireless HSPA 3G10WVE router firmware affecting ping.cgi. The supplied description says remote authenticated users can trigger arbitrary command execution by injecting shell metacharacters into DIA_IPADDRESS. Because this is on a router management path, exposed or weakly protected admin access can translate into full device compromise.

Vendor: Netcommwireless
Product: CVE-2015-6024
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Organizations still running NetCommWireless HSPA 3G10WVE routers, especially environments with legacy firmware, remote administration enabled, or multiple branch/edge devices managed by small IT teams or MSPs.

Technical summary

The vulnerable CGI handler accepts unsanitized DIA_IPADDRESS input and passes it in a way that permits shell metacharacter injection, which aligns with CWE-77. The supplied record says affected firmware is before 3G10WVE-L101-S306ETS-C01_R05, and the NVD CPE mapping also flags 3G10WVE-L101-S306ETS-C01_R03 as vulnerable. The CVSS vector in the supplied record is inconsistent with the narrative because it rates the issue as network-exploitable without privileges, while the text says remote authenticated users.

Defensive priority

Critical: prioritize immediate review, patching, or isolation of affected devices.

Recommended defensive actions

Identify all NetCommWireless HSPA 3G10WVE devices and confirm exact firmware versions.
Upgrade any affected firmware to 3G10WVE-L101-S306ETS-C01_R05 or later if supported.
Restrict management interface exposure to trusted networks only.
Require strong administrator authentication and remove unused admin accounts.
If patching is not possible, segment or isolate the device and place compensating controls around management access.
Review logs and configuration changes on exposed devices for signs of unauthorized command execution.

Evidence notes

Supplied NVD text identifies ping.cgi in NetCommWireless HSPA 3G10WVE firmware and cites shell metacharacter injection in DIA_IPADDRESS, classified as CWE-77. The NVD references include Packet Storm, Full Disclosure, SecurityFocus archives, and Exploit-DB entries, indicating public disclosure materials. The supplied data also shows a version-scope mismatch: the description says firmware before 3G10WVE-L101-S306ETS-C01_R05, while the NVD CPE entry specifically marks 3G10WVE-L101-S306ETS-C01_R03 as vulnerable. The CVSS vector in the supplied record conflicts with the wording about remote authenticated users, so access assumptions should be verified against deployment reality.

Official resources

CVE-2015-6024 CVE record
CVE.org
CVE-2015-6024 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly discussed in third-party advisories and mailing-list posts in May 2016; the NVD record was published on 2017-02-09 and later modified on 2026-05-13.