CVE-2023-26802
published 2023-03-26CVE-2023-26802: An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
48.71%
98.7th percentile
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dcnglobal | dcbi-netlog-lab_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/{{file_name}};
path/usr/local/lyx/lyxcenter/web/
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DCN DCBI-Netlog-LAB Remote Code Execution Vulnerability Attempt (CVE-2023-26802)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/network_config/nsg_masq.cgi?"; startswith; fast_pattern; content:"&proto="; distance:0; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26802; classtype:attempted-admin; sid:2048549; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_26802, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests target GET /cgi-bin/network_config/nsg_masq.cgi with the 'proto' parameter used for command injection (e.g., semicolon-delimited OS commands). The Snort/ET rule keys on URI prefix '/cgi-bin/network_config/nsg_masq.cgi?' combined with '&proto=' and presence of wget or curl in the URI.
- →The session_id parameter is set to '../' (path traversal) to bypass authentication in the exploit request.
- →Post-exploitation, the malware writes output files to /usr/local/lyx/lyxcenter/web/ and retrieves them via HTTP. Detect unexpected .html files appearing in that web root.
- →Verify exploitation by checking HTTP response body for presence of 'nsg_bridge.cgi' and 'nsg_dhcpactiveip.cgi' strings, which indicate directory listing output was written to the web root.
- →IZ1H9 botnet clients use XOR key 0xBAADF00D for configuration string decryption (bytewise: 0xBA^0xAD^0xF0^0x0D = 0xEA). Scan memory or binary for this key to identify IZ1H9 samples. ↗
- →IZ1H9 uses a 1-byte XOR key 0x54 to encrypt embedded telnet/SSH brute-force credentials. Scan botnet binaries for this decryption pattern. ↗
- →Palo Alto Networks Threat Prevention signatures 93386, 93718, 93721, 93722 cover the exploit traffic and malware associated with this campaign. ↗
- ·The IZ1H9 exploit function for the Tenda vulnerability mistakenly executes 'netlog.sh' instead of 'tenda.sh', meaning that specific exploit chain will not function correctly as coded in this sample. ↗
- ·The shell script downloader hash (692a5d099e37cd94923ea2) appears truncated in the source document and may be incomplete — verify against the original report before using as a detection hash. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6hpx-36c6-c2j2: An issue in the component /network_config/nsg_masq
ghsa_unreviewed·2023-03-26
CVE-2023-26802 [CRITICAL] CWE-22 GHSA-6hpx-36c6-c2j2: An issue in the component /network_config/nsg_masq
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
VulnCheck
dcnglobal dcbi-netlog-lab_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 9.8
CVE-2023-26802 [CRITICAL] dcnglobal dcbi-netlog-lab_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
dcnglobal dcbi-netlog-lab_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
Affected: dcnglobal dcbi-netlog-lab_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortiguard.com/outbreak-alert/router-malware-attack; https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-16&host_type=src&vulnerability=cve-2023-268
Suricata
ET EXPLOIT DCN DCBI-Netlog-LAB Remote Code Execution Vulnerability Attempt (CVE-2023-26802)
suricata·2023-10-12·CVSS 9.8
CVE-2023-26802 [CRITICAL] ET EXPLOIT DCN DCBI-Netlog-LAB Remote Code Execution Vulnerability Attempt (CVE-2023-26802)
ET EXPLOIT DCN DCBI-Netlog-LAB Remote Code Execution Vulnerability Attempt (CVE-2023-26802)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DCN DCBI-Netlog-LAB Remote Code Execution Vulnerability Attempt (CVE-2023-26802)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/network_config/nsg_masq.cgi?"; startswith; fast_pattern; content:"&proto="; distance:0; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26802; classtype:attempted-admin; sid:2048549; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_26802, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at
Nuclei
DCBI-Netlog-LAB v1.0 - Command Injection
nuclei·CVSS 9.8
CVE-2023-26802 [CRITICAL] DCBI-Netlog-LAB v1.0 - Command Injection
DCBI-Netlog-LAB v1.0 - Command Injection
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
Template:
id: CVE-2023-26802
info:
name: DCBI-Netlog-LAB v1.0 - Command Injection
author: pussycat0x
severity: critical
description: |
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
impact: |
Unauthenticated attackers can bypass authentication and execute arbitrary OS commands on the DCN DCBI-Netlog-LAB device, leading to complete device compromise and potential network infiltration.
remedia
Unit42
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
blogs_unit42·2023-05-25·CVSS 9.8
CVE-2023-26801 [CRITICAL] Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Threat Research Center
Trend Reports
Vulnerabilities
## Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Published: May 25, 2023
Trend Reports
Vulnerabilities
CVE-2023-26801
CVE-2023-26802
CVE-2023-27076
IoT
IZ1H9
Mirai variant
## Executive Summary
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
CVE-2023-27076 : Tenda G103 command injection vulnerability
CVE-2023-26801 : LB-Link command injection vulnerability
CVE-2023-26802 : DCN DCBI-Netlog-LAB remote code execution vulnerability
Zyxel remote code execution vulnerabilit
Unit42
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
blogs_unit42·2023-05-25·CVSS 9.8
CVE-2023-27076 [CRITICAL] Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
## Executive Summary
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
- CVE-2023-27076: Tenda G103 command injection vulnerability
- CVE-2023-26801: LB-Link command injection vulnerability
- CVE-2023-26802: DCN DCBI-Netlog-LAB remote code execution vulnerability
- Zyxel remote code execution vulnerability
Compromised devices can be fully controlled by attackers and become a part of the botnet. Those devices can be used to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.
Palo Alto Networks Next Generation Firewall customers receive protections through Cloud-Delivered S
2023-03-26
Published
Exploited in the wild