CVE-2023-49237
Published: 09 January 2024
Summary
CVE-2023-49237 is a critical-severity Command Injection (CWE-77) vulnerability in Trendnet Tv-Ip1314Pi Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-49237 affects TRENDnet TV-IP1314PI devices running firmware version 5.5.3 200714. The vulnerability is a command injection flaw (CWE-77) in the davinci process, which invokes the system function to unpack language packs without properly sanitizing URL strings supplied during the operation.
An unauthenticated remote attacker can supply a crafted URL to trigger arbitrary command execution on the device. Successful exploitation yields full control over the affected camera, including the ability to read, modify, or delete data and to disrupt device availability, consistent with the CVSS 9.8 rating reflecting network-accessible attack with no required privileges or user interaction.
Researcher disclosures hosted on GitHub and Google Drive provide technical details and proof-of-concept material for the issue, but no vendor advisory or firmware patch addressing mitigation steps is referenced in the available sources. The associated EPSS score has remained steady at 0.6980, indicating sustained exploitation interest since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-53240
Vulnerability details
An issue was discovered on TRENDnet TV-IP1314PI 5.5.3 200714 devices. Command injection can occur because the system function is used by davinci to unpack language packs without strict filtering of URL strings.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.