Ubiquiti EdgeRouter X Web Management Interface command injection
CVE-2023-2378

8.8HIGH

Key Information:

Vendor

Ubiquiti

Status
EdgeRouter X
Vendor
CVE Published:
28 April 2023

What is CVE-2023-2378?

A command injection vulnerability has been identified in the Web Management Interface of Ubiquiti EdgeRouter X. This issue arises from improper handling of the argument 'suffix-rate-up,' allowing remote attackers to execute arbitrary commands on the device. The vulnerability can be exploited without authentication, making it a significant security concern, especially since the exploit details have been publicly disclosed. Users are urged to update to the latest firmware to mitigate this risk.

Affected Version(s)

EdgeRouter X 2.0.9-hotfix.0

EdgeRouter X 2.0.9-hotfix.1

EdgeRouter X 2.0.9-hotfix.2

References

https://vuldb.com/?id.227654
vdb-entrytechnical-description
https://vuldb.com/?ctiid.227654
signaturepermissions-required
https://github.com/leetsun/IoT/tree/main/EdgeRouterX/CI/4
exploit

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

leetmoon (VulDB User)
.