CVE-2023-2373
Published: 28 April 2023
Summary
CVE-2023-2373 is a medium-severity Command Injection (CWE-77) vulnerability in Ui Edgemax Edgerouter Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-2373 is a command injection vulnerability, tracked as CWE-77, that affects the Web Management Interface component of Ubiquiti EdgeRouter X devices running firmware versions up to and including 2.0.9-hotfix.6. The issue stems from insufficient validation of the ecn-up argument, allowing crafted input to be passed to an underlying system command.
An authenticated attacker with low privileges can trigger the flaw remotely over the network, without requiring user interaction, to execute arbitrary commands on the device. Successful exploitation yields limited but combined effects on confidentiality, integrity, and availability, consistent with the reported CVSS 3.1 base score of 6.3.
A functional proof-of-concept has been published publicly, and the EPSS score has remained steady at 0.1373 with no material upward movement observed after disclosure. The primary references consist of technical write-ups and exploit artifacts hosted on GitHub and VulDB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33863
Vulnerability details
A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown part of the component Web Management Interface. The manipulation of the argument ecn-up leads to command injection. It is possible…
more
to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227649 was assigned to this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.