Bitdefender BOX 2 versions Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability


A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions and 


The information has been provided by Claudio Bozzato

The original article can be found at:


The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.


Vulnerable Systems:

Bitdefender BOX 2 versions

Bitdefender BOX 2 versions


CVE Information:



Disclosure Timeline:
Published Date:1/27/2020

Categories: FeaturedNews