Cyber Resilience

CVE-2023-41109

CriticalPublic PoCRCE

Published: 28 August 2023

Published
28 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9198 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41109 is a critical-severity OS Command Injection (CWE-78) vulnerability in Patton Smartnode Sn200 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-41109 is an unauthenticated OS command injection issue, tracked as CWE-78, that affects the SmartNode SN200 device running firmware version 3.21.2-23021. It received a CVSS 3.1 base score of 9.8, driven by network-accessible attack vectors that require no credentials or user interaction.

An attacker with network access can send crafted requests that result in arbitrary operating system command execution on the device, granting full control over confidentiality, integrity, and availability without prior authentication.

Public disclosures, including the SYSS-2023-019 advisory and associated entries on Packet Storm and Full Disclosure, document the flaw and provide technical details for practitioners. The associated EPSS score reached a peak of 0.9248 and currently stands at 0.9198.

EU & UK References

Vulnerability details

SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

patton
smartnode sn200 firmware
≤ 3.21.2-23021

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References