CVE-2023-33374

Connected IO v2.1.0 and prior has a command as part of its communication protocol allowing the management platform to specify arbitrary OS commands for devices to execute. Attackers abusing this dangerous functionality may issue all devices OS commands to execute, resulting in arbitrary remote command execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://claroty.com/team82/disclosure-dashboard/cve-2023-33374	Third Party Advisory
https://www.connectedio.com/products/routers	Product
https://claroty.com/team82/disclosure-dashboard/cve-2023-33374	Third Party Advisory
https://www.connectedio.com/products/routers	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:connectedio:connected_io:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-08-04 18:15

Updated : 2024-11-21 08:05

NVD link : CVE-2023-33374

Mitre link : CVE-2023-33374

CVE.ORG link : CVE-2023-33374

JSON object : View

Products Affected

connectedio

connected_io

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2023-33374", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-08-04T18:15:12.183", "references": [{"url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33374", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.connectedio.com/products/routers", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33374", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.connectedio.com/products/routers", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Connected IO v2.1.0 and prior has a command as part of its communication protocol allowing the management platform to specify arbitrary OS commands for devices to execute. Attackers abusing this dangerous functionality may issue all devices OS commands to execute, resulting in arbitrary remote command execution."}, {"lang": "es", "value": "Connected IO v2.1.0 y anteriores tiene un comando como parte de su protocolo de comunicaci\u00f3n que permite a la plataforma de gesti\u00f3n especificar comandos de SO arbitrarios para que los dispositivos los ejecuten. Los atacantes que abusen de esta peligrosa funcionalidad pueden enviar a todos los dispositivos comandos del sistema operativo para su ejecuci\u00f3n, lo que resulta en la ejecuci\u00f3n remota de comandos arbitrarios.\n"}], "lastModified": "2024-11-21T08:05:30.293", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:connectedio:connected_io:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF690623-7129-4811-9897-90ECE1F8DFDA", "versionEndIncluding": "2.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}