CVE-2023-47415
Published: 07 March 2024
Summary
CVE-2023-47415 is a high-severity OS Command Injection (CWE-78) vulnerability in Cypress Ctm-200 Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Cypress Solutions CTM-200 firmware versions 2.7.1.5600 and earlier contain an OS command injection vulnerability, tracked as CVE-2023-47415 and assigned CWE-78, that is reachable through the cli_text parameter. The flaw carries a CVSS 3.1 base score of 7.5 with a network attack vector, low complexity, and no required authentication or user interaction, resulting in high integrity impact while leaving confidentiality and availability unaffected.
Unauthenticated remote attackers can supply crafted input to the cli_text parameter and execute arbitrary operating-system commands on the affected device, enabling them to modify system behavior or data without any prior credentials. The EPSS score for this CVE has remained flat at 0.2010 since disclosure, indicating no material increase in observed exploitation interest.
Public references include a detailed disclosure at the Loudmouth Security GitLab repository along with vendor sites for Cypress and CTM-200, though no specific patch or mitigation guidance is supplied in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51529
Vulnerability details
Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered to contain an OS command injection vulnerability via the cli_text parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.