The Cybersecurity and Infrastructure Security Agency and the FBI have released a cyber advisory calling on software companies to address operating system command injection vulnerabilities before shipping their products.
The alert was issued in response to recent attacks that exploited multiple OS command injection security flaws in network edge devices to compromise users, CISA said Wednesday.
The agency warned that the vulnerabilities provide an opportunity for threat actors to remotely execute code on targeted network devices.
However, CISA added that OS command injection vulnerabilities can be eliminated at the source by taking a “secure by design approach.”
The agency urged software vendors to validate and sanitize user input when constructing commands to execute OS commands, noting that such practice reduces potential risks to customers.
CISA and the FBI also advised technology manufacturers to study previous cyber incidents involving OS command injection vulnerabilities and develop a plan to eliminate future threats.
In addition, tech leaders can review threat models, employ modern component libraries and implement aggressive adversarial product testing to prevent such vulnerabilities.
