Authenticated Command Injection
CVE-2023-2574

8.8HIGH

Key Information:

Vendor: Advantech
Status: Eki-1524; Eki-1522; Eki-1521
Vendor: CVE Published:; 8 May 2023

Summary

Advantech's EKI-1524, EKI-1522, and EKI-1521 series devices, running firmware version 1.21 or earlier, are susceptible to a command injection vulnerability. This flaw enables authenticated attackers to exploit the device name input field through specifically crafted POST requests, potentially compromising the integrity and functionality of the devices. Users are strongly advised to upgrade to the latest firmware as patches are available to rectify this security issue.

Affected Version(s)

EKI-1521 0 <= 1.21

EKI-1522 0 <= 1.21

EKI-1524 0 <= 1.21

References

https://www.advantech.com/en/support/details/firmware?id=...

patch

https://www.advantech.com/en/support/details/firmware?id=...

patch

https://www.advantech.com/en/support/details/firmware?id=...

patch

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 8, 2023
Vulnerability Reserved
May 8, 2023

Credit

S. Dietz (CyberDanube)

T. Weber (CyberDanube)