Cyber Resilience

CVE-2023-2522

MediumPublic PoC

Published: 04 May 2023

Published
04 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.1503 94.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2522 is a medium-severity OS Command Injection (CWE-78) vulnerability in Feiyuxing Vec40G Firmware. Its CVSS base score is 4.7 (Medium).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-2522 is an OS command injection vulnerability, tracked as CWE-78, that affects the Network Detection component of Chengdu VEC40G 3.0. The flaw resides in the file /send_order.cgi?parameter=access_detect, where the COUNT argument can be manipulated with input such as "3 | netstat -an" to execute arbitrary operating-system commands.

An attacker with administrative credentials can launch the attack remotely over the network. Successful exploitation yields limited read, write, and availability impacts on the affected device, as reflected in the CVSS 4.7 base score.

Public references consist of disclosure entries on Vuldb and a GitHub repository containing exploit details; the vendor was notified prior to publication but provided no response or patch information.

The associated EPSS score rose from a low baseline to a peak of 0.2645 before receding to its current value of 0.1503, indicating measurable post-disclosure interest in the issue.

EU & UK References

Vulnerability details

A vulnerability was found in Chengdu VEC40G 3.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /send_order.cgi?parameter=access_detect of the component Network Detection. The manipulation of the argument COUNT with the input…

more

3 | netstat -an leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228013 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

feiyuxing
vec40g firmware
3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References