Cyber Resilience

CVE-2023-38829

HighPublic PoCRCE

Published: 11 September 2023

Published
11 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1784 95.3th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38829 is a high-severity Command Injection (CWE-77) vulnerability in Netis-Systems Wf2409E Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-38829 is a command injection vulnerability, identified as CWE-77, that affects the diagnostic tools component of the NETIS SYSTEMS WF2409E wireless router running firmware version 3.6.42541. The flaw is present in the ping and traceroute functions exposed through the admin management interface and received a CVSS 3.1 score of 8.8.

An attacker who has obtained valid administrative credentials can send specially crafted requests to these functions over the network, resulting in arbitrary code execution on the device. This grants the attacker the ability to read or modify sensitive data, alter device configuration, or leverage the router for further network attacks.

Public proof-of-concept exploit code targeting the vulnerability has been published on GitHub. The associated EPSS score stands at 0.1784 with no material rise from a lower baseline.

EU & UK References

Vulnerability details

An issue in NETIS SYSTEMS WF2409E v.3.6.42541 allows a remote attacker to execute arbitrary code via the ping and traceroute functions of the diagnostic tools component in the admin management interface.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netis-systems
wf2409e firmware
3.6.42541

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References