After a period of time, we developed a fuzz test to fuzz RouterOS, and finally got an error, which was marked as CVE-2023-24090, but unfortunately this error cannot achieve RCE, we will continue to optimize the fuzz test framework, looking forward to one time:)
@yehao_this
Oh good, CVE-2021-41773 is in fact also RCE providing mod-cgi is enabled. An attacker can call any binary on the system and supply environment variables (that's how CGI works!) - if they can upload a file and set +x permissions, they can trivially run commands as Apache user.
@0vercl0k Hello, I am a beginner in IOT device research. Have you finished writing a blog on how the CVE-2022-24354 vulnerability is fully documented? I want to learn from it how you use it, thank you