CVE-2023-28343

CRITICAL EXPLOITED NUCLEI

APSystems Energy Communication Unit Firmware C1.2.5 - OS Command Injection via Timezone Parameter

Title source: llm

Exploitation Summary

CVE-2023-28343 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Ahmed Alroky, superzerosec, gobysec. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an OS command injection vulnerability in Altenergy Power Control Software C1.2.5 via the timezone parameter in a POST request to execute arbitrary commands, resulting in a reverse shell.

Description

OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.

Exploits (4)

exploitdb WORKING POC

by Ahmed Alroky · pythonwebappshardware

https://www.exploit-db.com/exploits/51325

View Code ZIP pw:eip

This exploit leverages an OS command injection vulnerability in Altenergy Power Control Software C1.2.5 via the timezone parameter in a POST request to execute arbitrary commands, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Altenergy Power Control Software C1.2.5

No auth needed

Prerequisites: Network access to the target application · Target application must be running Altenergy Power Control Software C1.2.5

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by superzerosec · remote

https://github.com/superzerosec/CVE-2023-28343

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-28343, which leverages command injection in the 'timezone' parameter of a PHP endpoint to achieve remote code execution (RCE). The exploit uses a reverse shell payload delivered via netcat, with optional automatic external IP detection for the listener.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a web application with a vulnerable PHP endpoint)

No auth needed

Prerequisites: Network access to the target web application · Outbound connectivity from the target to the attacker's listener

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SUSPICIOUS 6 stars

by gobysec · poc

https://github.com/gobysec/CVE-2023-28343

View Code ZIP pw:eip

The repository lacks actual exploit code and instead directs users to external platforms (GitHub issues, Telegram, WeChat) for further engagement. The README contains no technical details about the vulnerability, only a generic description and marketing language.

Classification

Suspicious 90%

Attack Type

Rce

Complexity

Theoretical

Reliability

Theoretical

Target: Altenergy Power System Control Software C1.2.5

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/ahmedalroky/Disclosures

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-28343, an OS command injection vulnerability in Altenergy Power Control Software. The exploit leverages insufficient input validation in the timezone parameter to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Altenergy Power Control Software C1.2.5

No auth needed

Prerequisites: Network access to the target device · Target device running vulnerable software version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Altenergy Power Control Software C1.2.5 - Remote Command Injection

CRITICALby pikpikcu

Shodan: title:"Altenergy Power Control Software" || http.title:"altenergy power control software"

FOFA: title="altenergy power control software"

References (3)

Core 3

Core References

Product

https://apsystems.com

Exploit, Third Party Advisory

https://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.md

View Exploit ZIP pw:eip

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171775/Altenergy-Power-Control-Software-C1.2.5-Command-Injection.html

Scores

CVSS v3 9.8

EPSS 0.8533

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2023-12-04

CWE

CWE-78

Status published

Products (1)

apsystems/energy_communication_unit_firmware c1.2.5

Published Mar 14, 2023

Tracked Since Feb 18, 2026