Cyber Resilience

CVE-2023-2574

HighPublic PoCRCE

Published: 08 May 2023

Published
08 May 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0636 91.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2574 is a high-severity OS Command Injection (CWE-78) vulnerability in Advantech Eki-1521 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Advantech EKI-1524, EKI-1522, and EKI-1521 serial device servers running firmware through version 1.21 contain a command injection vulnerability in the device name input field. The flaw, tracked as CVE-2023-2574 and assigned CWE-78 and CWE-77, is reachable over the network and permits an authenticated user to supply a crafted POST request that results in arbitrary command execution on the underlying operating system. The issue carries a CVSS 3.1 base score of 8.8.

An attacker who already possesses valid credentials can exploit the injection to execute operating-system commands with the privileges of the web application. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected device, enabling actions such as configuration changes, data exfiltration, or deployment of persistent malware.

Public advisories from CyberDanube and Advantech describe the issue and point to updated firmware releases that remediate the injection. The vendor firmware packages are available through the support pages referenced in the disclosure. Exploitation probability remains low, with an EPSS score that has not risen materially since publication.

EU & UK References

Vulnerability details

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

advantech
eki-1521 firmware
≤ 1.21
advantech
eki-1522 firmware
≤ 1.21
advantech
eki-1524 firmware
≤ 1.21

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References