CVE-2023-33374

CRITICAL

Connected IO <2.1.0 - Command Injection

Title source: llm

Description

Connected IO v2.1.0 and prior has a command as part of its communication protocol allowing the management platform to specify arbitrary OS commands for devices to execute. Attackers abusing this dangerous functionality may issue all devices OS commands to execute, resulting in arbitrary remote command execution.

References (2)

Core 2

Core References

Third Party Advisory

https://claroty.com/team82/disclosure-dashboard/cve-2023-33374

Product

https://www.connectedio.com/products/routers

Scores

CVSS v3 9.8

EPSS 0.0132

EPSS Percentile 67.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

connectedio/connected_io < 2.1.0

Published Aug 04, 2023

Tracked Since Feb 18, 2026