CVE-2023-33530
Published: 06 June 2023
Summary
CVE-2023-33530 is a high-severity Command Injection (CWE-77) vulnerability in Tenda G103 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2023-33530 is a command injection flaw tracked under CWE-77 that affects the Tenda G103 Gigabit GPON Terminal running firmware version V1.0.0.5. It received a CVSS 3.1 score of 8.8, driven by network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
An attacker who first obtains web management privileges can inject operating-system commands through the management interface, resulting in the ability to spawn a shell and execute arbitrary code on the device.
Public references consist of the vendor site and a GitHub repository containing a proof-of-concept PDF that demonstrates the remote code execution path; no vendor advisory or patch information is supplied in these sources. The associated EPSS score has remained flat at 0.0688 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37689
Vulnerability details
There is a command injection vulnerability in the Tenda G103 Gigabit GPON Terminal with firmware version V1.0.0.5. If an attacker gains web management privileges, they can inject commands gaining shell privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.