cbcvebase.
CVE-2023-49897
published 2023-12-06

CVE-2023-49897: An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this…

PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-11
Exploited in the wild
EPSS
50.73%
98.8th percentile
An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product.

Affected

4 ranges
VendorProductVersion rangeFixed in
fxcae1021_firmware< 2.0.102.0.10
fxcae1021pe_firmware< 2.0.102.0.10
fxc_incae1021
fxc_incae1021pe

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/action
commandPOST /cgi-bin/action [body: ntp.general.hostname=<injected command>]
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FXC AE1021 Series Router ntp.general.hostname Authenticated Command Injection Attempt (CVE-2023-49897)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/action"; http.request_body; content:"ntp.general.hostname|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patched; reference:cve,2023-49897; classtype:attempted-admin; sid:2059881; rev:1; metadata:affected_product FXC, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_02_04, cve CVE_2023_49897, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploitation occurs via the NTP server settings field (ntp.general.hostname parameter) in an authenticated POST request to /cgi-bin/action. Inspect HTTP POST bodies for the string 'ntp.general.hostname=' followed by shell metacharacters (;, newline \x0a, backtick \x60, pipe \x7c, dollar \x24) or their URL-encoded equivalents.
  • The vulnerability is exploited by the Mirai-based 'InfectedSlurs' botnet for DDoS recruitment. Devices compromised by this botnet should be treated as potential DDoS participants.
  • The URI /cgi-bin/action has a fixed byte size of 15; use bsize:15 matching to reduce false positives when detecting exploit attempts against this endpoint.
  • Exploitation requires an authenticated session (low-privilege login sufficient). Monitor for authenticated POST requests to /cgi-bin/action on FXC AE1021/AE1021PE devices running firmware 2.0.9 or earlier.
  • ·Exploitation requires prior authentication (low-privilege credentials are sufficient). The attack vector is adjacent network (AV:A), meaning the attacker must be on the same network segment or have network access to the management interface.
  • ·The Snort/Suricata rule (sid:2059881) is marked tls_state:plaintext, meaning it will NOT detect exploitation over HTTPS/TLS-encrypted management sessions.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.