cbcvebase.
CVE-2023-31446
published 2024-01-10

CVE-2023-31446: In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
61.08%
99.0th percentile
In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.

Affected

2 ranges
VendorProductVersion rangeFixed in
cassianetworksxc1000_firmware
cassianetworksxc2000_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/bypass/config?type=sqs&keyId=test&key=security&queueUrl=http://{{interactsh-url}}/
path/bypass/config
versionXC1000_2.1.1.2303082218
versionXC2000_2.1.1.2303090947
  • Detect exploitation attempts by monitoring HTTP GET requests to /bypass/config containing a queueUrl parameter with an external URL or shell metacharacters, indicating Bash injection attempts.
  • Use Shodan/FOFA fingerprints to identify exposed Cassia Bluetooth Gateway devices: search for html string 'Cassia Bluetooth Gateway Management Platform' or 'cassia bluetooth gateway management platform'.
  • Confirm exploitation via out-of-band DNS interaction: a successful payload triggers a DNS callback from the device, detectable via interactsh or similar OOB infrastructure.
  • A successful response body matching exactly '^OK$' (regex) alongside a DNS OOB callback confirms the vulnerability is exploitable on the target device.
  • ·The injection is triggered at device startup, not immediately upon the HTTP request — the injected Bash code executes with root privileges only when the device reboots or restarts.
  • ·The vulnerability is unauthenticated (PR:N, UI:N per CVSS), meaning no credentials are required to submit the malicious queueUrl parameter to /bypass/config.
  • ·The Nuclei template uses a 20-second timeout for the request, which may need adjustment in slow-network environments to avoid false negatives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.