CVE-2023-33617
Published: 23 May 2023
Summary
CVE-2023-33617 is a high-severity OS Command Injection (CWE-78) vulnerability in Eparks Fiberlink 210 Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-33617 is an OS command injection vulnerability, tracked as CWE-78, that affects the Parks Fiberlink 210 device running firmware version V2.1.14_X000. The flaw resides in the /boaform/admin/formPing endpoint and can be triggered through the target_addr parameter, allowing improper handling of user-supplied input that is passed to the underlying operating system.
An authenticated administrator with network access can supply crafted input to the affected parameter and execute arbitrary operating-system commands on the device. Successful exploitation yields high impact across confidentiality, integrity, and availability, consistent with the reported CVSS 7.2 vector that requires high privileges but no user interaction.
The two reference URLs point to the same public gist that documents the issue; no vendor advisory or patch information is provided in the available references. The associated EPSS score has remained in the 0.66–0.70 range without a documented rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37773
Vulnerability details
An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.