CVE-2023-41109
Published: 28 August 2023
Summary
CVE-2023-41109 is a critical-severity OS Command Injection (CWE-78) vulnerability in Patton Smartnode Sn200 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2023-41109 is an unauthenticated OS command injection issue, tracked as CWE-78, that affects the SmartNode SN200 device running firmware version 3.21.2-23021. It received a CVSS 3.1 base score of 9.8, driven by network-accessible attack vectors that require no credentials or user interaction.
An attacker with network access can send crafted requests that result in arbitrary operating system command execution on the device, granting full control over confidentiality, integrity, and availability without prior authentication.
Public disclosures, including the SYSS-2023-019 advisory and associated entries on Packet Storm and Full Disclosure, document the flaw and provide technical details for practitioners. The associated EPSS score reached a peak of 0.9248 and currently stands at 0.9198.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45628
Vulnerability details
SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.