CVE-2023-23080
Published: 27 February 2023
Summary
CVE-2023-23080 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda It7-Lcs Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-23080 is a command injection vulnerability (CWE-77) affecting several Tenda IP camera products. Impacted devices include Tenda CP7 running firmware up to V11.10.00.2211041403, Tenda CP3 v.10 up to V20220906024_2025, and Tenda IT7-PCS, IT7-LCS, and IT7-PRS models up to the listed September 2022 firmware builds. The issue carries a CVSS 3.1 base score of 9.8.
An unauthenticated attacker can exploit the flaw over the network without user interaction to inject and execute arbitrary commands on the affected devices. Successful exploitation grants complete control over confidentiality, integrity, and availability of the camera system.
Public references consist of GitHub repositories containing vulnerability details for Tenda IPC products, but no vendor advisories, patches, or mitigation guidance are provided in the available information. The associated EPSS scores remain low with only minor variation between the current value of 0.0463 and the recorded peak of 0.0541.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-27180
Vulnerability details
Certain Tenda products are vulnerable to command injection. This affects Tenda CP7 Tenda CP7<=V11.10.00.2211041403 and Tenda CP3 v.10 Tenda CP3 v.10<=V20220906024_2025 and Tenda IT7-PCS Tenda IT7-PCS<=V2209020914 and Tenda IT7-LCS Tenda IT7-LCS<=V2209020914 and Tenda IT7-PRS Tenda IT7-PRS<=V2209020908.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.