CVE-2023-43744

An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
zultysmx-se_firmware
𝑥
< 16.0.4
zultysmx-se_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx-se_ii_firmware
𝑥
< 16.0.4
zultysmx-se_ii_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx-e_firmware
𝑥
< 16.0.4
zultysmx-e_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx-virtual_firmware
𝑥
< 16.0.4
zultysmx-virtual_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx250_firmware
𝑥
< 16.0.4
zultysmx250_firmware
17.0.6 ≤
𝑥
< 17.0.10
zultysmx30_firmware
𝑥
< 16.0.4
zultysmx30_firmware
17.0.6 ≤
𝑥
< 17.0.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md
https://mxvirtual.com
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md
https://mxvirtual.com