CVE-2023-1097 (GCVE-0-2023-1097)
Vulnerability from cvelistv5 – Published: 2023-03-01 19:29 – Updated: 2025-03-07 15:53
VLAI?
Summary
Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.
Severity ?
9.3 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Baicells | EG7035-M11 |
Affected:
0 , ≤ BCE-ODU-1.0.8
(patch)
|
Credits
Lionel Musonza
Baicells Security Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"release-notes",
"x_transferred"
],
"url": "https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T15:53:08.611371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T15:53:21.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"BCE"
],
"product": "EG7035-M11",
"vendor": "Baicells",
"versions": [
{
"changes": [
{
"at": "BaiCE_BM_2.5.26",
"status": "unaffected"
}
],
"lessThanOrEqual": " BCE-ODU-1.0.8",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CPE would need to be configured and running on BCE-ODU-1.0.8 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method. "
}
],
"value": "CPE would need to be configured and running on BCE-ODU-1.0.8 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method. "
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lionel Musonza"
},
{
"lang": "en",
"type": "remediation developer",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Baicells Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBaicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-108",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-108 Command Line Execution through SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": " CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-01T19:29:26.456Z",
"orgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7",
"shortName": "Baicells"
},
"references": [
{
"tags": [
"patch",
"release-notes"
],
"url": "https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756"
},
{
"tags": [
"patch"
],
"url": "https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBaicells recommends that all customers currently running an earlier version of BCE-ODU-1.0.8 upgrade\u0026nbsp;their product to the BaiCE_BM_2.5.26\u0026nbsp;firmware.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Baicells recommends that all customers currently running an earlier version of BCE-ODU-1.0.8 upgrade\u00a0their product to the BaiCE_BM_2.5.26\u00a0firmware.\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Command Injection EG7035-M11 Series",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7",
"assignerShortName": "Baicells",
"cveId": "CVE-2023-1097",
"datePublished": "2023-03-01T19:29:26.456Z",
"dateReserved": "2023-02-28T17:35:19.554Z",
"dateUpdated": "2025-03-07T15:53:21.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:baicells:eg7035-m11_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"bce-odu-1.0.8\", \"matchCriteriaId\": \"36273B84-D85D-43E1-92E2-B30F5C68E989\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:baicells:eg7035-m11:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3EA6185C-6193-4821-823C-7C6BF54208B9\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\\n\\n\\n\\n\\n\\n\"}]",
"id": "CVE-2023-1097",
"lastModified": "2024-11-21T07:38:27.123",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@baicells.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-03-01T20:15:11.073",
"references": "[{\"url\": \"https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756\", \"source\": \"security@baicells.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin\", \"source\": \"security@baicells.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}]",
"sourceIdentifier": "security@baicells.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@baicells.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-1097\",\"sourceIdentifier\":\"security@baicells.com\",\"published\":\"2023-03-01T20:15:11.073\",\"lastModified\":\"2024-11-21T07:38:27.123\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\\n\\n\\n\\n\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@baicells.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@baicells.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:baicells:eg7035-m11_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"bce-odu-1.0.8\",\"matchCriteriaId\":\"36273B84-D85D-43E1-92E2-B30F5C68E989\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:baicells:eg7035-m11:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EA6185C-6193-4821-823C-7C6BF54208B9\"}]}]}],\"references\":[{\"url\":\"https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756\",\"source\":\"security@baicells.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin\",\"source\":\"security@baicells.com\",\"tags\":[\"Product\"]},{\"url\":\"https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756\", \"tags\": [\"patch\", \"release-notes\", \"x_transferred\"]}, {\"url\": \"https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin\", \"tags\": [\"patch\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T05:32:46.398Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-1097\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-07T15:53:08.611371Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-07T15:53:18.405Z\"}}], \"cna\": {\"title\": \"Unauthenticated Command Injection EG7035-M11 Series\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Lionel Musonza\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Baicells Security Team\"}], \"impacts\": [{\"capecId\": \"CAPEC-108\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-108 Command Line Execution through SQL Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Baicells\", \"product\": \"EG7035-M11\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"BaiCE_BM_2.5.26\", \"status\": \"unaffected\"}], \"version\": \"0\", \"versionType\": \"patch\", \"lessThanOrEqual\": \" BCE-ODU-1.0.8\"}], \"platforms\": [\"BCE\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Baicells recommends that all customers currently running an earlier version of BCE-ODU-1.0.8 upgrade\\u00a0their product to the BaiCE_BM_2.5.26\\u00a0firmware.\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eBaicells recommends that all customers currently running an earlier version of BCE-ODU-1.0.8 upgrade\u0026nbsp;their product to the BaiCE_BM_2.5.26\u0026nbsp;firmware.\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756\", \"tags\": [\"patch\", \"release-notes\"]}, {\"url\": \"https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\\n\\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eBaicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \" CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"CPE would need to be configured and running on BCE-ODU-1.0.8 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method. \", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"CPE would need to be configured and running on BCE-ODU-1.0.8 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method. \", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"084566ad-deee-4e89-acff-6b7b1bf9d4b7\", \"shortName\": \"Baicells\", \"dateUpdated\": \"2023-03-01T19:29:26.456Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-1097\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-07T15:53:21.691Z\", \"dateReserved\": \"2023-02-28T17:35:19.554Z\", \"assignerOrgId\": \"084566ad-deee-4e89-acff-6b7b1bf9d4b7\", \"datePublished\": \"2023-03-01T19:29:26.456Z\", \"assignerShortName\": \"Baicells\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…