Embedded device researchers often come across traditionally valuable vulnerabilities, such as command injection, whose exploitation is limited to authenticated, LAN-side users. From an attacker’s point of view, these restrictions are less than ideal for remote compromise. How can such bugs be weaponized for use in actual exploits? For the Lenovo ix4–300d NAS, the key to a successful attack lies in the victim’s web browser. In this livestream, ISE Labs will demonstrate the chaining of two unrelated vulnerabilities against the ix4–300d — cross-site scripting and command injection — to show how remote, unauthenticated adversaries can abuse the browser to gain root access to LAN targets.