cbcvebase.
CVE-2023-0776
published 2023-02-11

CVE-2023-0776: Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code…

PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.19%
64.1th percentile
Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.

Affected

8 ranges
VendorProductVersion rangeFixed in
baicellsneutrino_430<= 2.12.7
baicellsneutrino_430_firmware<= qrtb_2.12.7
baicellsnova430e_firmware<= qrtb_2.12.7
baicellsnova430l_firmware<= qrtb_2.12.7
baicellsnova436q_firmware<= qrtb_2.12.7
baicellsnova_430e<= 2.12.7
baicellsnova_430i<= 2.12.7
baicellsnova_436q<= 2.12.7

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable via HTTP command injection on Baicells LTE eNodeB devices, executed pre-login with root permissions — monitor for unexpected HTTP requests targeting device management interfaces
  • Affected firmware versions are QRTB 2.12.7 and earlier on Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 — fingerprint device firmware version in network asset inventory to identify exposed devices
  • Exploitation requires no authentication (PR:N, UI:N per CVSS vector) — alert on unauthenticated HTTP requests to management interfaces of Baicells eNodeB devices
  • ·The CISA advisory contains a contradictory statement indicating 'This vulnerability is not exploitable remotely,' which conflicts with the CVSS vector (AV:N) and the NVD description stating it is remotely exploitable via HTTP — treat the device as remotely exploitable pending clarification
  • ·Patched firmware version is QRTB 2.12.8 — devices still running QRTB 2.12.7 or earlier should be treated as unpatched and at risk
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.