CVE-2023-35193

Name of the Vulnerable Software and Affected Versions peplink Surf SOHO HW1 version 6.3.5

Description An OS command injection issue exists in the api.cgi cmd.mvpn.x509.write functionality. A specially crafted HTTP request can lead to command execution. This is specifically related to the system call in the file /web/MANGA/cgi-bin/api.cgi. An attacker can make an authenticated HTTP request to trigger this issue.

Recommendations For version 6.3.5, consider disabling the system call in the /web/MANGA/cgi-bin/api.cgi file as a temporary workaround until a patch is available. Restrict access to the api.cgi functionality to minimize the risk of exploitation. Avoid using the cmd.mvpn.x509.write functionality in the affected API endpoint until the issue is resolved.