Cyber Resilience

CVE-2023-26213

HighPublic PoCRCE

Published: 03 March 2023

Published
03 March 2023
Modified
07 March 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0388 88.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26213 is a high-severity OS Command Injection (CWE-78) vulnerability in Barracuda T100B Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-26213 is an OS command injection vulnerability (CWE-78) affecting Barracuda CloudGen WAN Private Edge Gateway devices prior to version 8 webui-sdwan-1089-8.3.1-174141891. The flaw resides in the /ajax/update_certificate endpoint, where a crafted HTTP request can pass shell metacharacters through fields such as name and password, enabling arbitrary command execution on the underlying operating system.

An authenticated attacker with high privileges can send a malicious request over the network to achieve full command execution. Successful exploitation grants the attacker the ability to read, modify, or delete data and disrupt device operations, corresponding to the CVSS 7.2 rating that reflects high impact across confidentiality, integrity, and availability.

Vendor release notes for version 8.3.1 and independent advisories from SEC Consult and Full Disclosure indicate that the issue is resolved by applying the referenced firmware update. The EPSS score rose from low values to a peak of 0.0702 before receding to the current 0.0388, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

On Barracuda CloudGen WAN Private Edge Gateway devices before 8 webui-sdwan-1089-8.3.1-174141891, an OS command injection vulnerability exists in /ajax/update_certificate - a crafted HTTP request allows an authenticated attacker to execute arbitrary commands. For example, a name field can contain :password…

more

and a password field can contain shell metacharacters.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

barracuda
t100b firmware
8.3.1
barracuda
t200c firmware
8.3.1
barracuda
t400c firmware
8.3.1
barracuda
t600d firmware
8.3.1
barracuda
t900b firmware
8.3.1
barracuda
t93a firmware
8.3.1
barracuda
t193a firmware
8.3.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References