Cyber Resilience

CVE-2023-47415

HighPublic PoCRCE

Published: 07 March 2024

Published
07 March 2024
Modified
18 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.2010 95.6th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47415 is a high-severity OS Command Injection (CWE-78) vulnerability in Cypress Ctm-200 Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cypress Solutions CTM-200 firmware versions 2.7.1.5600 and earlier contain an OS command injection vulnerability, tracked as CVE-2023-47415 and assigned CWE-78, that is reachable through the cli_text parameter. The flaw carries a CVSS 3.1 base score of 7.5 with a network attack vector, low complexity, and no required authentication or user interaction, resulting in high integrity impact while leaving confidentiality and availability unaffected.

Unauthenticated remote attackers can supply crafted input to the cli_text parameter and execute arbitrary operating-system commands on the affected device, enabling them to modify system behavior or data without any prior credentials. The EPSS score for this CVE has remained flat at 0.2010 since disclosure, indicating no material increase in observed exploitation interest.

Public references include a detailed disclosure at the Loudmouth Security GitLab repository along with vendor sites for Cypress and CTM-200, though no specific patch or mitigation guidance is supplied in the available information.

EU & UK References

Vulnerability details

Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered to contain an OS command injection vulnerability via the cli_text parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cypress
ctm-200 firmware
≤ 2.7.1.5600-113

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References