CVE-2023-27826
published 2023-04-12CVE-2023-27826: SeowonIntech SWC 5100W WIMAX Bootloader 1.18.19.0, HW 0.0.7.0, and FW 1.11.0.1, 1.9.9.4 are vulnerable to OS Command Injection. which allows attackers to take…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.77%
95.6th percentile
SeowonIntech SWC 5100W WIMAX Bootloader 1.18.19.0, HW 0.0.7.0, and FW 1.11.0.1, 1.9.9.4 are vulnerable to OS Command Injection. which allows attackers to take over the system with root privilege by abusing doSystem() function.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seowonintech | swc-5100w_firmware | — | — |
| seowonintech | swc-5100w_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS(PWNED_1EE7)';↗
- →Monitor HTTP GET requests to /cgi-bin/diagnostic.cgi containing shell metacharacters (semicolons, backticks) in the ping_ipaddr parameter, which is the injection point for OS command injection via doSystem(). ↗
- →Alert on HTTP responses from /cgi-bin/diagnostic.cgi containing the string 'PWNED_1EE7', which is the canary value used by the public exploit to confirm successful command injection. ↗
- →The vulnerability is exploited via the ping_ipaddr CGI parameter by injecting OS commands after a semicolon, abusing the doSystem() function to execute arbitrary commands with root privilege. ↗
- →The exploit is unauthenticated (GET request with no session/auth headers shown); detect anomalous GET requests to diagnostic.cgi from external or unexpected source IPs. ↗
- ·Affected firmware versions are FW 1.11.0.1 and 1.9.9.4, Bootloader 1.18.19.0, HW 0.0.7.0. Detection rules should be scoped to SeowonIntech SWC-5100W WIMAX devices running these versions. ↗
- ·The exploit title notes 'Authenticated RCE', meaning the attacker must be authenticated to the device management interface before exploiting the injection point. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-04-12
Published