cbcvebase.
CVE-2023-3710
published 2023-09-12

CVE-2023-3710: Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
33.09%
98.2th percentile
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).

Affected

9 ranges
VendorProductVersion rangeFixed in
honeywellpm23_43< P10.19.050004P10.19.050004
honeywellpm42< T10.19.050004T10.19.050004
honeywellpm42< L10.19.050004L10.19.050004
honeywellpm43_firmware< p10.19.050004p10.19.050004
honeywellpm45< J10.19.050004J10.19.050004
honeywellpx45_65< B10.19.050004B10.19.050004
honeywellpx4ie_6ie< A10.19.050004A10.19.050004
honeywellpx940< H10.19.050004H10.19.050004
honeywellrp2f_rp4f< M10.19.050006M10.19.050006

Detection & IOCsextracted from sources · hover to see the quote

path/loadfile.lp?pageid=Configure
commandusername=x%0aid;pwd;cat+/etc/*-release%0a&userpassword=1
yara
regex: 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)'
  • Exploit targets the `username` parameter in POST requests to `/loadfile.lp?pageid=Configure` via newline-injection (`%0a`) to break out of input context and execute OS commands.
  • Shodan/FOFA fingerprint for exposed Honeywell PM43 login pages: search for `/main/login.lua?pageid=` in HTTP response body.
  • Successful exploitation response body contains OS command output matching `uid=... gid=... groups=...` and the string `Release date`, confirming RCE.
  • Attack is unauthenticated (PR:N) and network-reachable (AV:N); no prior session or credentials required to exploit the printer web interface.
  • Content-Type for the exploit POST must be `application/x-www-form-urlencoded`; monitor for POST requests to `/loadfile.lp` with URL-encoded newlines (`%0a`) in the `username` field.
  • ·Vulnerable firmware versions are strictly prior to P10.19.050004; devices already patched to MR19.5 (e.g. P10.19.050006) are not affected.
  • ·The vulnerability is architecture-specific: only 32-bit ARM builds of the PM43 printer web page modules are affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.