CVE-2023-5684
Published: 21 October 2023
Summary
CVE-2023-5684 is a medium-severity OS Command Injection (CWE-78) vulnerability in Byzoro Smart S85F Firmware. Its CVSS base score is 4.7 (Medium).
Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability identified as CVE-2023-5684 affects the Byzoro Smart S85F Management Platform up to version 20231012. It resides in an unknown function of the file /importexport.php and stems from improper handling of input that permits OS command injection, corresponding to CWE-78. The issue received a CVSS 3.1 score of 4.7 and was publicly disclosed on 21 October 2023 after the vendor was contacted without response.
An attacker with high privileges can exploit the flaw remotely by supplying crafted input to the affected endpoint, resulting in execution of arbitrary operating-system commands with limited impact on confidentiality, integrity, and availability. The exploit code has been published, enabling any authenticated administrator to leverage the injection.
Public references, including VulDB entries and a GitHub disclosure, contain no vendor-supplied patches or mitigation guidance, consistent with the lack of vendor response. The associated EPSS score has remained flat at 0.0862 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-57975
Vulnerability details
A vulnerability was found in Byzoro Smart S85F Management Platform up to 20231012. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /importexport.php. The manipulation leads to os command injection. The attack…
more
can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-243061 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.