CVE-2023-3333

28.06.2023, 02:15

Improper Neutralization of Special Elements used in an OS Command vulnerability in NEC Corporation Aterm WG2600HP2, WG2600HP, WG2200HP, WG1800HP2, WG1800HP, WG1400HP, WG600HP, WG300HP, WF300HP, WR9500N, WR9300N, WR8750N, WR8700N, WR8600N, WR8370N, WR8175N and WR8170N all versions allowsa attackertoexecute an arbitrary OS command with the root privilege, after obtaining a high privilege exploiting CVE-2023-3330 and CVE-2023-3331 vulnerabilities.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
NEC	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Vendor	Product	Version
nec	aterm_wf300hp_firmware	-
nec	aterm_wg1400hp_firmware	-
nec	aterm_wg1800hp_firmware	-
nec	aterm_wg1800hp2_firmware	-
nec	aterm_wg2200hp_firmware	-
nec	aterm_wg2600hp_firmware	-
nec	aterm_wg2600hp2_firmware	-
nec	aterm_wg300hp_firmware	-
nec	aterm_wg600hp_firmware	-
nec	aterm_wr8600n_firmware	-
nec	aterm_wr8700n_firmware	-
nec	aterm_wr8750n_firmware	-
nec	aterm_wr9300n_firmware	-
nec	aterm_wr9500n_firmware	-
nec	aterm_wr8170n_firmware	-
nec	aterm_wr8175n_firmware	-
nec	aterm_wr8370n_firmware	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://https://jpn.nec.com/security-info/secinfo/nv23-007_en.html