CVE-2023-2574

Name of the Vulnerable Software and Affected Versions Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21

Description The issue is related to a command injection vulnerability in the device name input field. This vulnerability can be triggered by authenticated users via a crafted POST request to exploit the vulnerability, allowing remote attackers to execute arbitrary commands. The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command.

Recommendations For Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21, consider disabling the device name input field until a patch is available to prevent exploitation. Restrict access to the vulnerable input field to minimize the risk of exploitation. Avoid using the device name input field in crafted POST requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.