CVE-2023-0776

Name of the Vulnerable Software and Affected Versions Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7

Description The issue is related to the exploitation of Baicells devices via HTTP command injections, allowing remote shell code execution with root permissions. This is possible due to the lack of protection measures for the web page structure. Commands are executed using pre-login execution. A third-party analyst has tested and validated the exploitability of this issue.

Recommendations For Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7, consider disabling HTTP command execution until a patch is available. Restrict access to the web interface to minimize the risk of exploitation. Avoid using pre-login execution for commands until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.