CVE-2017-20236
Published: 03 April 2026
Summary
CVE-2017-20236 is a critical-severity OS Command Injection (CWE-78) vulnerability in Prosoft-Technology Icx35-Hwc Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2017-20236 is an input validation vulnerability classified under CWE-78 (OS Command Injection) in the web user interface of ProSoft Technology ICX35-HWC cellular gateways running versions 1.3 and prior. The flaw enables remote attackers to inject and execute arbitrary system commands by submitting malicious input through unvalidated fields in the accessible web interface.
The vulnerability can be exploited by any unauthenticated remote attacker with network access to the device, requiring low complexity and no user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Successful exploitation grants root privileges, allowing full arbitrary command execution on the affected gateway.
Advisories from Belden (Security Bulletin BSECV-2017-10) and VulnCheck detail mitigation strategies, available at https://assets.belden.com/m/1116a05ab702b2ba/original/Security-Bulletin-User-Interface-ProSoft-ICX35-BSECV-2017-10.pdf and https://www.vulncheck.com/advisories/prosoft-technology-icx35-hwc-command-injection-via-web-interface.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-18961
Vulnerability details
ProSoft Technology ICX35-HWC versions 1.3 and prior cellular gateways contain an input validation vulnerability in the web user interface that allows remote attackers to inject and execute system commands by submitting malicious input through unvalidated fields. Attackers can exploit this…
more
vulnerability to gain root privileges and execute arbitrary commands on the device through the accessible web interface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection in unauthenticated web UI enables remote exploitation of public-facing application for arbitrary command execution as root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the web user interface, comprehensively preventing OS command injection exploits like CVE-2017-20236.
Mandates timely identification, reporting, and correction of flaws such as this input validation vulnerability via patching or firmware updates.
Requires identification and authentication for non-organizational users accessing the web interface, blocking unauthenticated remote attackers from reaching vulnerable input fields.