CVE-2023-3710
Published: 12 September 2023
Summary
CVE-2023-3710 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Honeywell Pm43 Firmware. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-3710 is an improper input validation flaw that permits command injection, tracked under CWE-20 and CWE-77. It affects the web page modules of Honeywell PM43 industrial printers running 32-bit ARM firmware, specifically all versions prior to P10.19.050004. The vulnerability carries a CVSS 3.1 score of 9.9, reflecting network attack vector, low complexity, no required privileges or user interaction, and impacts on confidentiality, integrity, and availability within a changed scope.
An unauthenticated remote attacker can supply crafted input to the printer's web interface and execute arbitrary commands on the device. Successful exploitation can lead to partial control over the printer's operating environment, enabling actions such as configuration changes, data manipulation, or disruption of print operations.
Honeywell's security advisory directs users to upgrade affected PM43 units to firmware version MR19.5 (for example P10.19.050006) and provides signed firmware packages via their distribution portal. The product security page at honeywell.com reiterates the need to apply the latest available printer firmware.
The associated EPSS score has remained at 0.9170 with no reported rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44345
Vulnerability details
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g.…
more
P10.19.050006).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.