cbcvebase.
CVE-2023-41109
published 2023-08-28

CVE-2023-41109: SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
64.11%
99.1th percentile
SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
pattonsmartnode_sn200_firmware<= 3.21.2-23021

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /rest/xxxxxxxxxxxxxxx/xxxxxxx?executeAsync HTTP/1.1
urlhttp://packetstormsecurity.com/files/175945/SmartNode-SN200-3.21.2-23021-OS-Command-Injection.html
urlhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-019.txt
  • Detect unauthenticated POST requests to the /rest/ endpoint with the 'executeAsync' query parameter, which is the attack vector for OS command injection on SmartNode SN200.
  • Look for HTTP requests carrying a Cookie header with AuthToken empty, AuthGroup=superuser, and UserName=admin — the unauthenticated bypass pattern used in exploitation.
  • Inspect POST body for JSON payloads containing a 'cmd' key with shell command strings and an 'arguments' array, indicative of the command injection request format.
  • The Nuclei template matcher checks for the MD5 hash 'dd556350275e2ee0a2e877cea9c8a74a' in the response body as proof-of-execution for the injected command 'echo CVE-2023-41109 | md5sum'.
  • ·The exact REST API path segments are redacted (shown as 'xxxxxxxxxxxxxxx/xxxxxxx') in the public template; the actual endpoint path may vary and should be sourced from the full advisory.
  • ·Vulnerability affects SmartNode SN200 firmware version 3.21.2-23021 specifically; other firmware versions may or may not be affected.
  • ·The EPSS score of 0.92236 (99.718th percentile) indicates very high probability of exploitation in the wild; prioritize detection and patching accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.