A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including V7.7. The CGI component allows authenticated users to execute arbitrary shell commands through the action=runcmd functionality and the user-controlled cmd parameter.
An authenticated attacker with access to the device management interface can exploit this issue to execute commands with root privileges.
https://download.panabit.com:9443/?product=ap/cgi-bin/tools/ajax_cmd/usr/ramdisk/admin/cgi-bin/tools/ajax_cmdThe /cgi-bin/tools/ajax_cmd CGI endpoint exposes command execution functionality through action=runcmd. The cmd parameter is supplied by the HTTP request and is executed by the device. Although the component filters selected strings such as passwd and shadow, those filters do not prevent arbitrary command execution or meaningful exploitation.
The affected endpoint is reachable through the web management interface and can execute commands with root privileges.
The vulnerable request flow is:
HTTP POST request
-> /cgi-bin/tools/ajax_cmd
-> action=runcmd
-> user-controlled cmd parameter
-> shell command execution as root
The endpoint appears to be an administrative or diagnostic command runner. However, the server-side implementation does not restrict the requested command to a fixed allowlist of safe operations. Instead, it accepts a command string from the request and executes it. This means an authenticated web user can run arbitrary operating system commands rather than only intended diagnostic actions.