Vulnerability Details : CVE-2023-32350
Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.
Products affected by CVE-2023-32350
- Teltonika-networks » Rut200 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut200_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut240 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut240_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut241 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut241_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut300 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut300_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut360 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut360_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut901 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut901_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut950 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut950_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut951 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut951_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut955 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut955_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rut956 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rut956_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutx08 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutx08_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutx09 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutx09_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutx10 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutx10_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutx11 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutx11_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutx12 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutx12_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutx14 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutx14_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutx50 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutx50_firmware:*:*:*:*:*:*:*:*
- Teltonika-networks » Rutxr1 FirmwareVersions from including (>=) 00.07.00 and up to, including, (<=) 00.07.03cpe:2.3:o:teltonika-networks:rutxr1_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-32350
0.40%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-32350
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.0
|
HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.1
|
5.9
|
ICS-CERT | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-32350
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: ics-cert@hq.dhs.gov (Primary)
References for CVE-2023-32350
-
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08
Teltonika Remote Management System and RUT Model Routers | CISAThird Party Advisory;US Government Resource
Jump to