Cyber Resilience

CVE-2023-31446

CriticalPublic PoCRCE

Published: 10 January 2024

Published
10 January 2024
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9168 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31446 is a critical-severity Command Injection (CWE-77) vulnerability in Cassianetworks Xc1000 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-31446 affects Cassia Gateway firmware versions XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947. The root cause is a lack of sanitization on the queueUrl parameter accepted by the /bypass/config endpoint, which permits injection of Bash commands that are later executed with root privileges during device startup. The flaw is tracked under CWE-77 and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker with network access can supply a malicious queueUrl value and thereby achieve arbitrary command execution as root on the affected gateway. Because the injected commands run automatically at boot, successful exploitation provides persistent control of the device without further interaction.

The associated EPSS score currently stands at 0.9168 with a recorded peak of 0.9285, indicating sustained and substantial exploitation interest since disclosure. Public proof-of-concept material is available that demonstrates remote code execution against the listed firmware builds.

EU & UK References

Vulnerability details

In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cassianetworks
xc1000 firmware
2.1.1.2303082218
cassianetworks
xc2000 firmware
2.1.1.2303090947

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References