Cyber Resilience

CVE-2023-48692

Critical

Published: 05 December 2023

Published
05 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0503 90.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-48692 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Azure Rtos Netx Duo. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Azure RTOS NetX Duo is a TCP/IP network stack for deeply embedded real-time and IoT applications that contains memory overflow vulnerabilities in components handling icmp, tcp, snmp, dhcp, nat, and ftp. These issues, present in version 6.2.1 and earlier, are tracked under CWE-787 and CWE-825 and can result in remote code execution. The CVSS 3.1 score is 9.0 with a network attack vector, high complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can send crafted network packets to trigger the overflows and achieve arbitrary code execution on the affected device with impacts to confidentiality, integrity, and availability across security boundaries.

The GitHub security advisories state that the fixes are included in NetX Duo release 6.3.0 and that users should upgrade, as no workarounds are known. The EPSS score remains flat at 0.0503 with no material increase after disclosure.

EU & UK References

Vulnerability details

Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause remote code execution due to memory overflow vulnerabilities in Azure RTOS NETX Duo. The affected components include processes/functions…

more

related to icmp, tcp, snmp, dhcp, nat and ftp in RTOS v6.2.1 and below. The fixes have been included in NetX Duo release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
azure rtos netx duo
≤ 6.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References