CVE-2023-26866
Published: 04 April 2023
Summary
CVE-2023-26866 is a critical-severity Command Injection (CWE-77) vulnerability in Greenpacket Ot-235 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GreenPacket OH736's WR-1200 Indoor Unit and OT-235 devices running firmware versions M-IDU-1.6.0.3_V1.1 and MH-46360-2.0.3-R5-GP respectively contain a remote command injection vulnerability. The flaw permits arbitrary commands to be executed prior to authentication and with root privileges, resulting in complete device takeover. It is tracked under CWE-77 and carries a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can send crafted requests to the affected devices to inject and run operating-system commands. Successful exploitation grants full control over the unit, enabling arbitrary code execution, configuration changes, and persistence at the root level.
The two referenced GitHub repositories document the issue but contain no vendor advisories, patches, or mitigation guidance. The associated EPSS scores have remained essentially flat near 0.09 with no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30658
Vulnerability details
GreenPacket OH736's WR-1200 Indoor Unit, OT-235 with firmware versions M-IDU-1.6.0.3_V1.1 and MH-46360-2.0.3-R5-GP respectively are vulnerable to remote command injection. Commands are executed using pre-login execution and executed with root privileges allowing complete takeover.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.