Authenticated Command Injection
CVE-2023-2573

8.8HIGH

Key Information:

Vendor: Advantech
Status: Eki-1524; Eki-1522; Eki-1521
Vendor: CVE Published:; 8 May 2023

Summary

The command injection vulnerability in Advantech EKI-1524, EKI-1522, and EKI-1521 devices allows authenticated users to exploit the NTP server input field. By sending a specially crafted POST request, attackers can potentially execute arbitrary commands on the affected devices, risking the integrity and confidentiality of the network. Users should update to the latest firmware versions to mitigate this risk.

Affected Version(s)

EKI-1521 0 <= 1.21

EKI-1522 0 <= 1.21

EKI-1524 0 <= 1.21

References

https://www.advantech.com/en/support/details/firmware?id=...

patch

https://www.advantech.com/en/support/details/firmware?id=...

patch

https://www.advantech.com/en/support/details/firmware?id=...

patch

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 8, 2023
Vulnerability Reserved
May 8, 2023

Credit

S. Dietz (CyberDanube)

T. Weber (CyberDanube)