Cyber Resilience

CVE-2023-33530

HighRCE

Published: 06 June 2023

Published
06 June 2023
Modified
08 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0688 91.6th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33530 is a high-severity Command Injection (CWE-77) vulnerability in Tenda G103 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2023-33530 is a command injection flaw tracked under CWE-77 that affects the Tenda G103 Gigabit GPON Terminal running firmware version V1.0.0.5. It received a CVSS 3.1 score of 8.8, driven by network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An attacker who first obtains web management privileges can inject operating-system commands through the management interface, resulting in the ability to spawn a shell and execute arbitrary code on the device.

Public references consist of the vendor site and a GitHub repository containing a proof-of-concept PDF that demonstrates the remote code execution path; no vendor advisory or patch information is supplied in these sources. The associated EPSS score has remained flat at 0.0688 with no material rise after disclosure.

EU & UK References

Vulnerability details

There is a command injection vulnerability in the Tenda G103 Gigabit GPON Terminal with firmware version V1.0.0.5. If an attacker gains web management privileges, they can inject commands gaining shell privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
g103 firmware
1.0.0.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References