CVE-2023-35803
Published: 04 October 2023
Summary
CVE-2023-35803 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Extremenetworks Iq Engine. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
IQ Engine versions prior to 10.6r2 running on Extreme Networks access-point devices contain a buffer overflow vulnerability tracked as CVE-2023-35803 and CWE-120. The flaw received a CVSS 3.1 base score of 9.8, reflecting a network-accessible attack that requires no authentication or user interaction and can impact confidentiality, integrity, and availability.
An unauthenticated remote attacker can send specially crafted network traffic to the affected acsd service, triggering the overflow to execute arbitrary code or crash the process. Because the vulnerability is reachable over the network without credentials, any internet-exposed or laterally reachable Extreme AP running a vulnerable IQ Engine release is exposed.
The vendor advisory SA-2023-067 states that the issue is resolved in IQ Engine 10.6r2 and later; administrators are advised to upgrade affected devices and to restrict management-plane access until patches can be applied. The associated EPSS score has remained flat at 0.0547 with no material post-disclosure increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39798
Vulnerability details
IQ Engine before 10.6r2 on Extreme Network AP devices has a Buffer Overflow.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.