OS Command Injection in TELTONIKA products - CVE-2023-32350
Published: May 15, 2023
Vulnerability identifier: #VU76157
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-32350
CWE-ID: CWE-78
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
RUT200
RUT230
RUT240
RUT241
RUT300
RUT360
RUT850
RUT901
RUT950
RUT951
RUT955
RUT956
RUT200
RUT230
RUT240
RUT241
RUT300
RUT360
RUT850
RUT901
RUT950
RUT951
RUT955
RUT956
Software vendor:
TELTONIKA
TELTONIKA
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in a Lua service. A remote attacker on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.