CVE-2023-26602
Published: 26 February 2023
Summary
CVE-2023-26602 is a critical-severity Command Injection (CWE-77) vulnerability in Asus Asmb8-Ikvm Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-26602 affects ASUS ASMB8 iKVM firmware versions through 1.14.51. The flaw permits remote attackers to execute arbitrary code by leveraging SNMP to register extensions under NET-SNMP-EXTEND-MIB, with proof-of-concept use of snmpset to invoke /bin/sh for command execution. The issue carries a CVSS 3.1 score of 9.8 and is classified under CWE-77.
Unauthenticated attackers with network access to the SNMP service can exploit the weakness without user interaction, obtaining full control over the baseboard management controller and the ability to run commands with elevated privileges on the affected device.
Public disclosures, including the advisory at nwsec.de/NWSSA-002-2023.txt and detailed PoCs on Packet Storm and Full Disclosure lists, document the attack vector but do not outline vendor-supplied patches or configuration workarounds in the provided references.
EPSS for the vulnerability reached a peak of 0.7861, demonstrating a material rise in exploitation interest after disclosure before receding to the current value of 0.7009.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30397
Vulnerability details
ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.