Main Vulnerability Database Vulnerabilities #VU78320

Command Injection in Siemens products - CVE-2023-36753

Published: July 17, 2023

Vulnerability identifier: #VU78320

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-36753

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Siemens

Affected software:
RUGGEDCOM ROX MX5000
RUGGEDCOM ROX MX5000RE
RUGGEDCOM ROX RX1400
RUGGEDCOM ROX RX1500
RUGGEDCOM ROX RX1501
RUGGEDCOM ROX RX1510
RUGGEDCOM ROX RX1511
RUGGEDCOM ROX RX1512
RUGGEDCOM ROX RX1524
RUGGEDCOM ROX RX1536
RUGGEDCOM ROX RX5000

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation within the uninstall-app App-name parameter in the web interface. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2023-36753

Install updates from vendor's website.

Sources

https://cert-portal.siemens.com/productcert/txt/ssa-146325.txt

Command Injection in Siemens products - CVE-2023-36753

Detailed vulnerability description

How to mitigate CVE-2023-36753

Sources

Please verify you're human