PT-2023-7183 · Advantech · Eki-1524+2

S. Dietz

Published

2023-05-08

Updated

2023-05-12

CVE-2023-2573

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21

Description The issue is related to a command injection vulnerability in the NTP server input field. This vulnerability can be triggered by authenticated users via a crafted POST request, potentially allowing a remote attacker to execute arbitrary code.

Recommendations For Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21, consider disabling access to the NTP server input field until a patch is available. Restrict access to the vulnerable devices to minimize the risk of exploitation. Avoid using the NTP server input field in the affected devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2023-08210

CVE-2023-2573

Affected Products

Eki-1521

Eki-1522

Eki-1524

PT-2023-7183 · Advantech · Eki-1524+2

CVE-2023-2573

Weakness Enumeration

Related Identifiers

Affected Products

References · 11