CVE-2023-41011
Published: 14 September 2023
Summary
CVE-2023-41011 is a critical-severity Command Injection (CWE-77) vulnerability in Chinamobile Intelligent Home Gateway Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-41011 is a command injection vulnerability, tracked under CWE-77, that affects the China Mobile Intelligent Home Gateway model HG6543C4. The flaw resides in the shortcut_telnet.cg component and permits unauthenticated remote attackers to execute arbitrary operating-system commands. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, and no required privileges or user interaction.
An attacker with network access to an exposed device can send crafted requests directly to shortcut_telnet.cg, resulting in full command execution on the gateway. Successful exploitation grants the attacker the ability to read, modify, or delete data and potentially take complete control of the affected device.
The two referenced GitHub wiki entries document the vulnerability and its reproduction steps but contain no official vendor advisory, patch information, or mitigation guidance. The associated EPSS score has remained flat at 0.1157 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45548
Vulnerability details
Command Execution vulnerability in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the shortcut_telnet.cg component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.