CVE-2023-33381
Published: 06 June 2023
Summary
CVE-2023-33381 is a high-severity OS Command Injection (CWE-78) vulnerability in Mitrastar Gpt-2741Gnac Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models.
Deeper analysis
A command injection vulnerability tracked as CVE-2023-33381 affects the ping functionality in the MitraStar GPT-2741GNAC router running firmware version AR_g5.8_110WVN0b7_2. The flaw, assigned CWE-78, permits an authenticated user to supply specially crafted input that results in execution of arbitrary operating-system commands on the device. It carries a CVSS 3.1 base score of 7.2, reflecting network attack vector, low complexity, and high impact across confidentiality, integrity, and availability when the attacker holds administrative credentials.
An authenticated administrator can exploit the issue remotely by submitting malicious payloads through the router’s ping interface, thereby gaining the ability to run arbitrary commands with the privileges of the underlying operating system. Successful exploitation can lead to full device compromise, including the ability to alter configuration, exfiltrate data, or pivot further into the network.
Public references include a proof-of-concept repository demonstrating the injection technique, along with vendor sites for MitraStar and the affected product; no official advisory or firmware patch addressing the flaw is referenced in the available sources. The CVE’s EPSS score currently stands at 0.5803 with a recorded peak of 0.6030.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37544
Vulnerability details
A command injection vulnerability was found in the ping functionality of the MitraStar GPT-2741GNAC router (firmware version AR_g5.8_110WVN0b7_2). The vulnerability allows an authenticated user to execute arbitrary OS commands by sending specially crafted input to the router via the ping…
more
function.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gpt
Related Threats
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.