Cyber Resilience

CVE-2023-33617

HighPublic PoCRCE

Published: 23 May 2023

Published
23 May 2023
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6599 98.5th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33617 is a high-severity OS Command Injection (CWE-78) vulnerability in Eparks Fiberlink 210 Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-33617 is an OS command injection vulnerability, tracked as CWE-78, that affects the Parks Fiberlink 210 device running firmware version V2.1.14_X000. The flaw resides in the /boaform/admin/formPing endpoint and can be triggered through the target_addr parameter, allowing improper handling of user-supplied input that is passed to the underlying operating system.

An authenticated administrator with network access can supply crafted input to the affected parameter and execute arbitrary operating-system commands on the device. Successful exploitation yields high impact across confidentiality, integrity, and availability, consistent with the reported CVSS 7.2 vector that requires high privileges but no user interaction.

The two reference URLs point to the same public gist that documents the issue; no vendor advisory or patch information is provided in the available references. The associated EPSS score has remained in the 0.66–0.70 range without a documented rise from a low baseline.

EU & UK References

Vulnerability details

An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

eparks
fiberlink 210 firmware
2.1.14_x000

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References