CVE-2023-35762
published 2023-11-20CVE-2023-35762: Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution.
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.70%
74.3th percentile
Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inea | me_rtu | <= 3.36b | — |
| inea | me_rtu_firmware | < 3.37 | 3.37 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target device: INEA ME RTU firmware versions 3.36b and prior are vulnerable to OS command injection (CVE-2023-35762), exploitable remotely with low complexity and low privileges required. ↗
- →A companion vulnerability (CVE-2023-29155) on the same device allows unauthenticated access to the 'root' account, which can be chained with CVE-2023-35762 to achieve full admin-level RCE without any credentials. ↗
- →CVSS v3 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) — network-reachable INEA ME RTU devices should be treated as high-priority detection targets; monitor for unexpected outbound connections or command execution from RTU host processes. ↗
- →Critical infrastructure sectors (Energy, Water and Wastewater, Transportation) are the primary deployment environments; prioritize detection and network segmentation monitoring for INEA ME RTU devices in these sectors. ↗
- ·No public exploitation has been reported to CISA at time of advisory publication; no proof-of-concept or exploit code IOCs are available from these sources. ↗
- ·The advisory covers two CVEs on the same product/firmware line; CVE-2023-29155 (missing authentication for root) is a distinct but closely related vulnerability that should be assessed alongside CVE-2023-35762 when evaluating exposure. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f8cp-7vrf-q7fh: Versions of INEA ME RTU firmware 3
ghsa_unreviewed·2023-11-20
CVE-2023-35762 [CRITICAL] CWE-78 GHSA-f8cp-7vrf-q7fh: Versions of INEA ME RTU firmware 3
Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution.
CISA ICS
INEA ME RTU
cisa_ics·2023-10-31·CVSS 9.8
[CRITICAL] INEA ME RTU
ICS Advisory
##
INEA ME RTU
Release DateOctober 31, 2023
Alert CodeICSA-23-304-02
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: INEA
- Equipment: ME RTU
- Vulnerabilities: OS Command Injection, Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Inea ME RTU are affected:
- ME RTU: versions 3.36b and prior
## 3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION')CWE-78
Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-11-20
Published