CVE-2023-43743

HIGH

Zultys MX Firmware < 16.0.4 - Authenticated SQL Injection via /newapi/ Filter Parameter

Title source: llm
STIX 2.1

Description

A SQL injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an authenticated attacker to execute arbitrary SQL queries on the backend database via the filter parameter in requests to the /newapi/ endpoint in the Zultys MX web interface.

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0069
EPSS Percentile 48.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (6)
zultys/mx-e_firmware < 16.0.4
zultys/mx-se_firmware < 16.0.4
zultys/mx-se_ii_firmware < 16.0.4
zultys/mx-virtual_firmware < 16.0.4
zultys/mx250_firmware < 16.0.4
zultys/mx30_firmware < 16.0.4
Published Dec 08, 2023
Tracked Since Feb 18, 2026