CVE-2023-41109
published 2023-08-28CVE-2023-41109: SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
64.11%
99.1th percentile
SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| patton | smartnode_sn200_firmware | <= 3.21.2-23021 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /rest/xxxxxxxxxxxxxxx/xxxxxxx?executeAsync HTTP/1.1
urlhttp://packetstormsecurity.com/files/175945/SmartNode-SN200-3.21.2-23021-OS-Command-Injection.html↗
- →Detect unauthenticated POST requests to the /rest/ endpoint with the 'executeAsync' query parameter, which is the attack vector for OS command injection on SmartNode SN200.
- →Look for HTTP requests carrying a Cookie header with AuthToken empty, AuthGroup=superuser, and UserName=admin — the unauthenticated bypass pattern used in exploitation.
- →Inspect POST body for JSON payloads containing a 'cmd' key with shell command strings and an 'arguments' array, indicative of the command injection request format.
- →The Nuclei template matcher checks for the MD5 hash 'dd556350275e2ee0a2e877cea9c8a74a' in the response body as proof-of-execution for the injected command 'echo CVE-2023-41109 | md5sum'.
- ·The exact REST API path segments are redacted (shown as 'xxxxxxxxxxxxxxx/xxxxxxx') in the public template; the actual endpoint path may vary and should be sourced from the full advisory.
- ·Vulnerability affects SmartNode SN200 firmware version 3.21.2-23021 specifically; other firmware versions may or may not be affected. ↗
- ·The EPSS score of 0.92236 (99.718th percentile) indicates very high probability of exploitation in the wild; prioritize detection and patching accordingly.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg7v-jcg7-3j87: SmartNode SN200 (aka SN200) 3
ghsa_unreviewed·2023-08-28
CVE-2023-41109 [CRITICAL] CWE-78 GHSA-cg7v-jcg7-3j87: SmartNode SN200 (aka SN200) 3
SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.
VulnCheck
patton smartnode_sn200_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-41109 [CRITICAL] patton smartnode_sn200_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
patton smartnode_sn200_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Command Injection.
Affected: patton smartnode_sn200_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-22&host_type=src&vulnerability=cve-2023-41109; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-26&host_type=src&vulnerability=cve-2023-41109; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-28&host_type
No detection rules found.
Nuclei
SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway - Command Injection
nuclei·CVSS 9.8
CVE-2023-41109 [CRITICAL] SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway - Command Injection
SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway - Command Injection
The SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway is vulnerable to command injection.
Template:
id: CVE-2023-41109
info:
name: SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway - Command Injection
author: princechaddha
severity: critical
description: |
The SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway is vulnerable to command injection.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device.
remediation: |
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
reference:
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-019.tx
No writeups or analysis indexed.
http://packetstormsecurity.com/files/175945/SmartNode-SN200-3.21.2-23021-OS-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Nov/12https://www.syss.de/https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-019.txthttp://packetstormsecurity.com/files/175945/SmartNode-SN200-3.21.2-23021-OS-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Nov/12https://www.syss.de/https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-019.txt
2023-08-28
Published
Exploited in the wild