CVE-2023-43744

Summary

CVE-2023-43744 is an OS command injection vulnerability that affects Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109. This vulnerability allows an administrator to execute arbitrary OS commands by manipulating the file name parameter in a patch application function. The Zultys MX Administrator client's "Patch Manager" section is where administrators can apply patches to the device. However, the user-supplied filename for the patch file is not properly validated, allowing for the execution of malicious commands through bash command substitution characters. This vulnerability poses a high risk to organizations as it can be exploited remotely without requiring any user interaction. The impact includes high integrity and confidentiality impacts and can potentially lead to compromise and disruption of systems. It is recommended to upgrade to firmware versions 17.0.10 patch 17161 or 16.04 patch 16109 to remediate this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.