CVE-2023-24508

Name of the Vulnerable Software and Affected Versions Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 devices with firmware through RTS/RTD 3.6.6

Description The issue exists due to inadequate protection of the web page structure in Baicells LTE network management systems. Exploitation of this issue may allow a remote attacker to execute arbitrary code with root privileges by injecting HTTP commands. Commands are executed before login and with root permissions.

Recommendations For Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 devices with firmware through RTS/RTD 3.6.6, consider restricting access to HTTP commands to minimize the risk of exploitation until a patch is available. As a temporary workaround, disabling pre-login execution of commands may also help mitigate the risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.