Cyber Resilience

CVE-2023-23080

CriticalPublic PoCRCE

Published: 27 February 2023

Published
27 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0463 89.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-23080 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda It7-Lcs Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-23080 is a command injection vulnerability (CWE-77) affecting several Tenda IP camera products. Impacted devices include Tenda CP7 running firmware up to V11.10.00.2211041403, Tenda CP3 v.10 up to V20220906024_2025, and Tenda IT7-PCS, IT7-LCS, and IT7-PRS models up to the listed September 2022 firmware builds. The issue carries a CVSS 3.1 base score of 9.8.

An unauthenticated attacker can exploit the flaw over the network without user interaction to inject and execute arbitrary commands on the affected devices. Successful exploitation grants complete control over confidentiality, integrity, and availability of the camera system.

Public references consist of GitHub repositories containing vulnerability details for Tenda IPC products, but no vendor advisories, patches, or mitigation guidance are provided in the available information. The associated EPSS scores remain low with only minor variation between the current value of 0.0463 and the recorded peak of 0.0541.

EU & UK References

Vulnerability details

Certain Tenda products are vulnerable to command injection. This affects Tenda CP7 Tenda CP7<=V11.10.00.2211041403 and Tenda CP3 v.10 Tenda CP3 v.10<=V20220906024_2025 and Tenda IT7-PCS Tenda IT7-PCS<=V2209020914 and Tenda IT7-LCS Tenda IT7-LCS<=V2209020914 and Tenda IT7-PRS Tenda IT7-PRS<=V2209020908.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
it7-lcs firmware
≤ 2209020914
tenda
it7-pcs firmware
≤ 2209020914
tenda
it7-prs firmware
≤ 2209020908
tenda
cp3 firmware
≤ 20220906024_2025
tenda
cp7 firmware
≤ 1.10.00.2211041403

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References