CVE-2023-35194

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Oct 11, 2023

Updated: Oct 18, 2023

CWE ID 78

Summary

CVE-2023-35194 is an OS command injection vulnerability affecting peplink Surf SOHO HW1 v6.3.5 in QEMU. The `api.cgi` cmd.mvpn.x509.write function contains a flaw that allows a specially crafted HTTP request to trigger command execution. This vulnerability specifically exploits the `system` call in the `/web/MANGA/cgi-bin/api.cgi` file at offset `0x4bde44`. An attacker must be authenticated to exploit this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Peplink

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/rzlErt
https://www.cve.org/CVERecord?id=CVE-2023-35194
https://nvd.nist.gov/vuln/detail/CVE-2023-35194

Back to Vulnerability Database

CVE-2023-35194

CVSS 3.1 Score 8.8 of 10 (high)

Details

Summary

Affected Vendors

Advisories, Assessments, and Mitigations