cbcvebase.
CVE-2023-34127
published 2023-07-13

CVE-2023-34127: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an…

PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
86.73%
99.7th percentile
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authenticated attacker to execute arbitrary code with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.

Affected

6 ranges
VendorProductVersion rangeFixed in
sonicwallanalytics<= 2.5.0.4-r7
sonicwallanalytics
sonicwallglobal_management_system< 9.3.29.3.2
sonicwallglobal_management_system
sonicwallgms
sonicwallgms

Detection & IOCsextracted from sources · hover to see the quote

url/ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27
path/ws/msw/tenant/
path/appliance/login
path/appliance/applianceMainPage
path/opt/GMSVP/etc/
otherhttp.favicon.hash:-1381126564
othericon_hash=-1381126564
  • Detect SQL injection attempt via the /ws/msw/tenant/ endpoint — look for URL-encoded UNION SELECT payloads targeting SGMSDB.DOMAINS and sgmsdb.users tables in the URI path.
  • Detect authentication bypass attempt: monitor POST to /appliance/applianceMainPage with action=login and the custom Auth header containing a base64-encoded HMAC-SHA1 hash on GET /ws/msw/tenant/ requests.
  • Use Shodan/FOFA favicon hash -1381126564 to identify exposed SonicWall GMS/Analytics instances for asset discovery and attack surface monitoring.
  • Exploit chain involves three stages: (1) SQL injection on /ws/msw/tenant/ to harvest credentials, (2) login to /appliance/applianceMainPage to obtain a session, (3) shell injection via file_system search task. Correlate these three request patterns from the same source IP.
  • The HMAC secret used in the authentication bypass is a fixed string; detect requests where the Auth header hash is derived using the secret '?~!@#$%^^()'.
  • ·CVE-2023-34127 requires an authenticated attacker (OS command injection with root privileges), while the exploit template shown is for the related CVE-2023-34124 (auth bypass + SQL injection chain). The Nuclei template ID and references are for CVE-2023-34124, not CVE-2023-34127 — detections should account for both CVEs being chained together.
  • ·Affected versions are GMS 9.3.2-SP1 and earlier, and Analytics 2.5.0.4-R7 and earlier. The Metasploit module references GMS versions <= 9.9.9320, which may reflect a broader or updated scope.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.