PT-2025-42220 · Bytevalue · Bytevalue Intelligent Flow Control Router
Published
2025-10-15
·
Updated
2025-10-15
·
CVE-2023-7311
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
BYTEVALUE Intelligent Flow Control Router (affected versions not specified)
Description
The BYTEVALUE Intelligent Flow Control Router contains a command injection issue through the
/goform/webRead/open API endpoint. The path parameter lacks proper validation and is echoed into a shell context, enabling an attacker to inject and execute arbitrary shell commands. Successful exploitation could result in the installation of backdoors, privilege escalation, and complete compromise of the router and its management functions. The Rondo botnet has been observed targeting this issue.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
LPE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bytevalue Intelligent Flow Control Router