CVE-2023-43482
Published: 06 February 2024
Summary
CVE-2023-43482 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Er7206 Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command execution vulnerability exists in the guest resource functionality of the Tp-Link ER7206 Omada Gigabit VPN Router version 1.3.0 build 20230322 Rel.70591. The issue, tracked as CVE-2023-43482 and assigned CWE-78, allows a specially crafted HTTP request to trigger arbitrary command execution and carries a CVSS 3.1 score of 7.2 reflecting network-accessible, low-complexity attack conditions that require high privileges.
An authenticated attacker can send a malicious HTTP request to the affected router and obtain full control over the device, resulting in complete compromise of confidentiality, integrity, and availability. The vulnerability is reachable over the network without user interaction once valid administrative credentials are supplied.
Public references consist of detailed reports published by Cisco Talos under TALOS-2023-1850 that describe the flaw and are the primary source for mitigation guidance and any available patches. The associated EPSS score has remained flat at 0.0555 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-47897
Vulnerability details
A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request…
more
to trigger this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.