CVE-2023-27886
published 2023-03-28CVE-2023-27886: Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.66%
73.7th percentile
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP POST parameter called by index.php script.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| propump_and_controls_inc | osprey_pump_controller | — | — |
| propumpservice | osprey_pump_controller_firmware | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x86m-ppmc-4jv6: Osprey Pump Controller version 1
ghsa_unreviewed·2023-03-28
CVE-2023-27886 [CRITICAL] CWE-78 GHSA-x86m-ppmc-4jv6: Osprey Pump Controller version 1
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP POST parameter called by index.php script.
CISA ICS
ProPump and Controls Osprey Pump Controller (Update A)
cisa_ics·2024-02-08·CVSS 5.5
[MEDIUM] ProPump and Controls Osprey Pump Controller (Update A)
ICS Advisory
##
ProPump and Controls Osprey Pump Controller (Update A)
Last RevisedFebruary 08, 2024
Alert CodeICSA-23-082-06
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: ProPump and Controls, Inc.
- Equipment: Osprey Pump Controller
- Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-28
Published