CVE-2023-23295
published 2023-02-23CVE-2023-23295: Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection via /goform/formSysCmd. An attacker an modify the sysCmd…
PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.83%
88.8th percentile
Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection via /goform/formSysCmd. An attacker an modify the sysCmd parameter in order to execute commands as root.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| korenix | jetwave_2111_firmware | < 1.5 | 1.5 |
| korenix | jetwave_2111l_firmware | < 1.6 | 1.6 |
| korenix | jetwave_2114_firmware | < 1.4 | 1.4 |
| korenix | jetwave_2211c_firmware | < 1.6 | 1.6 |
| korenix | jetwave_2212g_firmware | — | — |
| korenix | jetwave_2212s_firmware | — | — |
| korenix | jetwave_2212x_firmware | — | — |
| korenix | jetwave_2411_firmware | < 1.5 | 1.5 |
| korenix | jetwave_2411l_firmware | < 1.6 | 1.6 |
| korenix | jetwave_2414_firmware | < 1.4 | 1.4 |
| korenix | jetwave_2424_firmware | < 1.3 | 1.3 |
| korenix | jetwave_2460_firmware | < 1.6 | 1.6 |
| korenix | jetwave_3220_v3_firmware | < 1.7 | 1.7 |
| korenix | jetwave_3420_v3_firmware | < 1.7 | 1.7 |
| korenix | jetwave_4221hp-e_firmware | <= 1.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests targeting /goform/formSysCmd for manipulation of the sysCmd parameter, which can be used to execute arbitrary commands as root. ↗
- ·Exploitation requires low-privilege authenticated access (PR:L); monitor for unexpected or unauthorized logins to Korenix JetWave management interfaces prior to exploitation attempts. ↗
- ·No known public exploits specifically target this vulnerability at time of advisory publication. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q74f-hvfr-7jqc: Korenix Jetwave 4200 Series 1
ghsa_unreviewed·2023-02-24
CVE-2023-23295 [HIGH] CWE-77 GHSA-q74f-hvfr-7jqc: Korenix Jetwave 4200 Series 1
Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection via /goform/formSysCmd. An attacker an modify the sysCmd parameter in order to execute commands as root.
VulnCheck
korenix jetwave_2212g_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 8.8
CVE-2023-23295 [HIGH] korenix jetwave_2212g_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
korenix jetwave_2212g_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection via /goform/formSysCmd. An attacker an modify the sysCmd parameter in order to execute commands as root.
Affected: korenix jetwave_2212g_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-05&host_type=src&vulnerability=cve-2023-23295; https://dashboard.
CISA ICS
Korenix Jetwave
cisa_ics·2023-04-06·CVSS 8.8
[HIGH] Korenix Jetwave
ICS Advisory
##
Korenix Jetwave
Release DateApril 06, 2023
Alert CodeICSA-23-096-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Korenix
- Equipment: Jetwave
- Vulnerabilities: Command Injection, Uncontrolled Resource Consumption
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the underlying operating system of the device or cause a denial-of-service condition.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Korenix Jetwave, are affected:
- Korenix JetWave4221 HP-E versions V1.3.0 and prior
- Korenix JetWave 3220/3420 V3 versions prior to V1.7
- Korenix JetWave 2212G version V1.3.T
- Korenix JetWa
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
2023-02-23
Published
Exploited in the wild