Cyber Resilience

CVE-2023-5684

MediumPublic PoC

Published: 21 October 2023

Published
21 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0862 92.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5684 is a medium-severity OS Command Injection (CWE-78) vulnerability in Byzoro Smart S85F Firmware. Its CVSS base score is 4.7 (Medium).

Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability identified as CVE-2023-5684 affects the Byzoro Smart S85F Management Platform up to version 20231012. It resides in an unknown function of the file /importexport.php and stems from improper handling of input that permits OS command injection, corresponding to CWE-78. The issue received a CVSS 3.1 score of 4.7 and was publicly disclosed on 21 October 2023 after the vendor was contacted without response.

An attacker with high privileges can exploit the flaw remotely by supplying crafted input to the affected endpoint, resulting in execution of arbitrary operating-system commands with limited impact on confidentiality, integrity, and availability. The exploit code has been published, enabling any authenticated administrator to leverage the injection.

Public references, including VulDB entries and a GitHub disclosure, contain no vendor-supplied patches or mitigation guidance, consistent with the lack of vendor response. The associated EPSS score has remained flat at 0.0862 with no material increase since disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in Byzoro Smart S85F Management Platform up to 20231012. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /importexport.php. The manipulation leads to os command injection. The attack…

more

can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-243061 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

byzoro
smart s85f firmware
≤ 2023-10-12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References