CVE-2023-2574
Published: 08 May 2023
Summary
CVE-2023-2574 is a high-severity OS Command Injection (CWE-78) vulnerability in Advantech Eki-1521 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Advantech EKI-1524, EKI-1522, and EKI-1521 serial device servers running firmware through version 1.21 contain a command injection vulnerability in the device name input field. The flaw, tracked as CVE-2023-2574 and assigned CWE-78 and CWE-77, is reachable over the network and permits an authenticated user to supply a crafted POST request that results in arbitrary command execution on the underlying operating system. The issue carries a CVSS 3.1 base score of 8.8.
An attacker who already possesses valid credentials can exploit the injection to execute operating-system commands with the privileges of the web application. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected device, enabling actions such as configuration changes, data exfiltration, or deployment of persistent malware.
Public advisories from CyberDanube and Advantech describe the issue and point to updated firmware releases that remediate the injection. The vendor firmware packages are available through the support pages referenced in the disclosure. Exploitation probability remains low, with an EPSS score that has not risen materially since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34052
Vulnerability details
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.