CVE-2023-26802
Published: 26 March 2023
Summary
CVE-2023-26802 is a critical-severity Path Traversal (CWE-22) vulnerability in Dcnglobal Dcbi-Netlog-Lab Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-26802 is a critical authentication-bypass vulnerability in the /network_config/nsg_masq.cgi component of DCN DCBI-Netlog-LAB version 1.0. The flaw, assigned CWE-22, permits remote attackers to submit specially crafted requests that circumvent authentication checks and execute arbitrary operating-system commands. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, low-complexity exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
Unauthenticated attackers on the network can leverage the issue to gain complete control of affected appliances, enabling them to read or modify configuration data, install persistent backdoors, or pivot into connected network segments. Because the vulnerable endpoint is reachable without prior authentication, exploitation can occur from any internet-facing or internally accessible management interface.
Public proof-of-concept material has been published in GitHub repositories, and the CVE’s EPSS score has reached a peak of 0.8591 with a current value of 0.7799, indicating sustained exploitation interest since disclosure. No vendor advisory or official patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30595
Vulnerability details
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.