CVE-2023-49897
published 2023-12-06CVE-2023-49897: An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-11
Exploited in the wild
EPSS
50.73%
98.8th percentile
An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fxc | ae1021_firmware | < 2.0.10 | 2.0.10 |
| fxc | ae1021pe_firmware | < 2.0.10 | 2.0.10 |
| fxc_inc | ae1021 | — | — |
| fxc_inc | ae1021pe | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/action
commandPOST /cgi-bin/action [body: ntp.general.hostname=<injected command>]
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FXC AE1021 Series Router ntp.general.hostname Authenticated Command Injection Attempt (CVE-2023-49897)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/action"; http.request_body; content:"ntp.general.hostname|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patched; reference:cve,2023-49897; classtype:attempted-admin; sid:2059881; rev:1; metadata:affected_product FXC, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_02_04, cve CVE_2023_49897, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploitation occurs via the NTP server settings field (ntp.general.hostname parameter) in an authenticated POST request to /cgi-bin/action. Inspect HTTP POST bodies for the string 'ntp.general.hostname=' followed by shell metacharacters (;, newline \x0a, backtick \x60, pipe \x7c, dollar \x24) or their URL-encoded equivalents.
- →The vulnerability is exploited by the Mirai-based 'InfectedSlurs' botnet for DDoS recruitment. Devices compromised by this botnet should be treated as potential DDoS participants. ↗
- →The URI /cgi-bin/action has a fixed byte size of 15; use bsize:15 matching to reduce false positives when detecting exploit attempts against this endpoint.
- →Exploitation requires an authenticated session (low-privilege login sufficient). Monitor for authenticated POST requests to /cgi-bin/action on FXC AE1021/AE1021PE devices running firmware 2.0.9 or earlier. ↗
- ·Exploitation requires prior authentication (low-privilege credentials are sufficient). The attack vector is adjacent network (AV:A), meaning the attacker must be on the same network segment or have network access to the management interface. ↗
- ·The Snort/Suricata rule (sid:2059881) is marked tls_state:plaintext, meaning it will NOT detect exploitation over HTTPS/TLS-encrypted management sessions.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
FXC AE1021/AE1021PE
cisa_ics·2023-12-21·CVSS 8.8
[HIGH] FXC AE1021/AE1021PE
ICS Advisory
##
FXC AE1021/AE1021PE
Release DateDecember 21, 2023
Alert CodeICSA-23-355-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.0
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
- Vendor: FXC
- Equipment: AE1021, AE1021PE
- Vulnerability: OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution on the device via NTP server settings.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of FXC AE1021, a wireless LAN router, are affected:
- AE1021PE firmware: version 2.0.9 and earlier
- AE1021 firmware: version 2.0.9 and earlier
## 3.2 Vulnerability Overview
3.2.1 IMPROPER N
CISA
FXC AE1021, AE1021PE OS Command Injection Vulnerability
cisa·2023-12-21·CVSS 8.8
CVE-2023-49897 [HIGH] CWE-78 FXC AE1021, AE1021PE OS Command Injection Vulnerability
Vulnerability: FXC AE1021, AE1021PE OS Command Injection Vulnerability
Affected: FXC AE1021, AE1021PE
FXC AE1021 and AE1021PE contain an OS command injection vulnerability that allows authenticated users to execute commands via a network.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.fxc.jp/news/20231206 ; https://nvd.nist.gov/vuln/detail/CVE-2023-49897
Remediation Due Date: 2024-01-11
GHSA
GHSA-x3f3-j7qh-9wgj: An OS command injection vulnerability exists in AE1021PE firmware version 2
ghsa_unreviewed·2023-12-06
CVE-2023-49897 [HIGH] CWE-78 GHSA-x3f3-j7qh-9wgj: An OS command injection vulnerability exists in AE1021PE firmware version 2
An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product.
VulnCheck
FXC AE1021, AE1021PE OS Command Injection Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-49897 [HIGH] CWE-78 FXC AE1021, AE1021PE OS Command Injection Vulnerability
FXC AE1021, AE1021PE OS Command Injection Vulnerability
FXC AE1021 and AE1021PE contain an OS command injection vulnerability that allows authenticated users to execute commands via a network.
Affected: FXC AE1021, AE1021PE
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patched; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2024-01-11
Suricata
ET WEB_SPECIFIC_APPS FXC AE1021 Series Router ntp.general.hostname Authenticated Command Injection Attempt (CVE-2023-49897)
suricata·2025-02-04·CVSS 8.8
CVE-2023-49897 [HIGH] ET WEB_SPECIFIC_APPS FXC AE1021 Series Router ntp.general.hostname Authenticated Command Injection Attempt (CVE-2023-49897)
ET WEB_SPECIFIC_APPS FXC AE1021 Series Router ntp.general.hostname Authenticated Command Injection Attempt (CVE-2023-49897)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FXC AE1021 Series Router ntp.general.hostname Authenticated Command Injection Attempt (CVE-2023-49897)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/action"; http.request_body; content:"ntp.general.hostname|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patched; reference:cve,2023-49897; classtype:attempted-admin; sid:2059881; rev:1; metadata:affected_product FXC, attack_target Networking
No public exploits indexed.
https://jvn.jp/en/vu/JVNVU92152057/https://www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patchedhttps://www.cisa.gov/news-events/ics-advisories/icsa-23-355-01https://www.fxc.jp/news/20231206https://jvn.jp/en/vu/JVNVU92152057/https://www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patchedhttps://www.cisa.gov/news-events/ics-advisories/icsa-23-355-01https://www.fxc.jp/news/20231206https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-49897
2023-12-06
Published
2023-12-21
Added to CISA KEV
Exploited in the wild