CVE-2023-43477

Name of the Vulnerable Software and Affected Versions Telstra Smart Modem Gen 2 (Arcadyan LH1000) versions prior to 0.18.15r

Description The ping from parameter of ping tracerte.cgi in the web UI was not properly sanitized before being used in a system call, which could allow an authenticated attacker to achieve command injection as root on the device.

Recommendations For versions prior to 0.18.15r, update to firmware version 0.18.15r or later to resolve the issue. As a temporary workaround, consider restricting access to the ping tracerte.cgi endpoint until a patch is available. Avoid using the ping from parameter in the affected API endpoint until the issue is resolved.