CVE-2023-3710
published 2023-09-12CVE-2023-3710: Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
33.09%
98.2th percentile
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | pm23_43 | < P10.19.050004 | P10.19.050004 |
| honeywell | pm42 | < T10.19.050004 | T10.19.050004 |
| honeywell | pm42 | < L10.19.050004 | L10.19.050004 |
| honeywell | pm43_firmware | < p10.19.050004 | p10.19.050004 |
| honeywell | pm45 | < J10.19.050004 | J10.19.050004 |
| honeywell | px45_65 | < B10.19.050004 | B10.19.050004 |
| honeywell | px4ie_6ie | < A10.19.050004 | A10.19.050004 |
| honeywell | px940 | < H10.19.050004 | H10.19.050004 |
| honeywell | rp2f_rp4f | < M10.19.050006 | M10.19.050006 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)'
- →Exploit targets the `username` parameter in POST requests to `/loadfile.lp?pageid=Configure` via newline-injection (`%0a`) to break out of input context and execute OS commands. ↗
- →Shodan/FOFA fingerprint for exposed Honeywell PM43 login pages: search for `/main/login.lua?pageid=` in HTTP response body. ↗
- →Successful exploitation response body contains OS command output matching `uid=... gid=... groups=...` and the string `Release date`, confirming RCE. ↗
- →Attack is unauthenticated (PR:N) and network-reachable (AV:N); no prior session or credentials required to exploit the printer web interface. ↗
- →Content-Type for the exploit POST must be `application/x-www-form-urlencoded`; monitor for POST requests to `/loadfile.lp` with URL-encoded newlines (`%0a`) in the `username` field. ↗
- ·Vulnerable firmware versions are strictly prior to P10.19.050004; devices already patched to MR19.5 (e.g. P10.19.050006) are not affected. ↗
- ·The vulnerability is architecture-specific: only 32-bit ARM builds of the PM43 printer web page modules are affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9mq5-f7mh-w3xc: Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection
ghsa_unreviewed·2023-09-12
CVE-2023-3710 [CRITICAL] CWE-20 GHSA-9mq5-f7mh-w3xc: Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).
VulnCheck
honeywell pm43_firmware Improper Input Validation
vulncheck·2023·CVSS 9.9
CVE-2023-3710 [CRITICAL] honeywell pm43_firmware Improper Input Validation
honeywell pm43_firmware Improper Input Validation
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).
Affected: honeywell pm43_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-06&host_type=src&vulnerability=cve-2023-3710; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-07&host_type=src
No detection rules found.
Exploit-DB
Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
exploitdb·2024-03-14·CVSS 9.9
CVE-2023-3710 [CRITICAL] Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
Honeywell PM43 ')
if html_start_index != -1:
return response_text[:html_start_index]
else:
return response_text
except requests.exceptions.RequestException as e:
return f"Error: {e}"
def main():
parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
parser.add_argument('--url', dest='url', help='Target URL', required=True)
parser.add_argument('--run', dest='command', help='Command to execute', required=True)
args = parser.parse_args()
response = run_command(args.url, args.command)
print(f"{BLUE}{response}{RESET}")
if __name__ == "__main__":
banner()
main()
Nuclei
Honeywell PM43 Printers - Command Injection
nuclei·CVSS 9.8
CVE-2023-3710 [CRITICAL] Honeywell PM43 Printers - Command Injection
Honeywell PM43 Printers - Command Injection
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)
Template:
id: CVE-2023-3710
info:
name: Honeywell PM43 Printers - Command Injection
author: win3zz
severity: critical
description: |
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)
impact: |
Unauthenticated a
https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwaresignedP1019050004https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwarexasignedP1019050004Ahttps://www.honeywell.com/us/en/product-securityhttps://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwaresignedP1019050004https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwarexasignedP1019050004Ahttps://www.honeywell.com/us/en/product-security
2023-09-12
Published
Exploited in the wild