Command Injection in Smart Reader - CVE-2023-40146

 

Command Injection in Smart Reader - CVE-2023-40146

Published: April 18, 2024


Vulnerability identifier: #VU88816
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-40146
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Peplink
Affected software:
Smart Reader

Detailed vulnerability description

The vulnerability allows a local attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the /bin/login functionality. An attacker with physical access can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


How to mitigate CVE-2023-40146

Install updates from vendor's website.

Sources