CVE-2023-34127
Published: 13 July 2023
Summary
CVE-2023-34127 is a high-severity OS Command Injection (CWE-78) vulnerability in Sonicwall Global Management System. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-34127 is an OS command injection vulnerability, tracked as CWE-78, that affects SonicWall Global Management System (GMS) versions 9.3.2-SP1 and earlier as well as SonicWall Analytics versions 2.5.0.4-R7 and earlier. The flaw permits improper neutralization of special elements in operating system commands, which can be leveraged to run arbitrary commands.
An authenticated attacker with network access can exploit the issue without user interaction. Successful exploitation grants the ability to execute arbitrary code with root privileges on the affected appliance, resulting in full confidentiality, integrity, and availability impact as reflected in the CVSS 8.8 score.
SonicWall has published advisory SNWLID-2023-0010 and a corresponding support notice that address the vulnerability and direct customers to remediation steps for the listed GMS and Analytics releases. Public exploit code referencing the affected versions has also been posted to Packet Storm.
The associated EPSS score stands at 0.9058 with an identical recorded peak, indicating sustained high exploitation probability since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38229
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authenticated attacker to execute arbitrary code with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7…
more
and earlier versions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.