CVE-2023-1097

Name of the Vulnerable Software and Affected Versions Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8

Description The issue concerns improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and are executed with root permissions. A 3rd party analyst has tested and validated the methods, confirming them as exploitable. This was discovered by Lionel Musonza.

Recommendations For Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8, consider disabling HTTP GET commands until a patch is available to prevent exploitation. Restrict access to the device to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.