OS Command Injection Vulnerability in CONPROSYS IoT Gateway by Contec
CVE-2023-27917

8.8HIGH

Key Information:

Vendor: Contec Co.,ltd.
Status: Conprosys Iot Gateway Products
Vendor: CVE Published:; 11 April 2023

🔔 Create Contec Co.,ltd. Vulnerability Alert

What is CVE-2023-27917?

An OS command injection vulnerability exists in Contec's CONPROSYS IoT Gateway products, allowing remote authenticated attackers to execute arbitrary OS commands with root privileges through the Network Maintenance page. This enhances the potential for executing unauthorized commands and could lead to serious security breaches.

Affected Version(s)

CONPROSYS IoT Gateway products M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (CPS-MC341-ADSC1-111, CPS-MC341-ADSC1-931, CPS-MC341-ADSC2-111, CPS-MC341G-ADSC1-110, CPS-MC341Q-ADSC1-111, CPS-MC341-DS1-111, CPS-MC341-DS11-111, CPS-MC341-DS2-911, and CPS-MC341-A1-111), and M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (CPS-MCS341-DS1-111, CPS-MCS341-DS1-131, CPS-MCS341G-DS1-130, CPS-MCS341G5-DS1-130, and CPS-MCS341Q-DS1-131)

References

https://www.contec.com/api/downloadlogger?download=/-/med...

https://www.contec.com/download/donwload-list/?itemid=f83...

https://www.contec.com/download/donwload-list/?itemid=a05...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2023
Vulnerability Reserved
Mar 14, 2023