Ubiquiti EdgeRouter X Web Management Interface command injection
CVE-2023-2374

8.8HIGH

Key Information:

Vendor

Ubiquiti

Status
EdgeRouter X
Vendor
CVE Published:
28 April 2023

What is CVE-2023-2374?

An identified vulnerability in the Web Management Interface of Ubiquiti EdgeRouter X allows for remote command injection through manipulation of the 'ecn-down' argument. This flaw provides attackers a means to execute arbitrary commands on the device, posing a significant risk to network integrity and security. Immediate awareness and remediation actions are essential due to the public disclosure of the exploit details.

Affected Version(s)

EdgeRouter X 2.0.9-hotfix.0

EdgeRouter X 2.0.9-hotfix.1

EdgeRouter X 2.0.9-hotfix.2

References

https://vuldb.com/?id.227650
vdb-entrytechnical-description
https://vuldb.com/?ctiid.227650
signaturepermissions-required
https://github.com/leetsun/IoT/tree/main/EdgeRouterX/CI/6
exploit

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

leetmoon (VulDB User)
.