CVE-2023-43744
HIGHZultys MX-SE <17.0.10.17161 & 16.04.16109 - Command Injection
Title source: llmDescription
An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.
References (2)
Core 2
Core References
Third Party Advisory
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md
Product
https://mxvirtual.com
Scores
CVSS v3
7.2
EPSS
0.0199
EPSS Percentile
78.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (6)
zultys/mx-e_firmware
< 16.0.4
zultys/mx-se_firmware
< 16.0.4
zultys/mx-se_ii_firmware
< 16.0.4
zultys/mx-virtual_firmware
< 16.0.4
zultys/mx250_firmware
< 16.0.4
zultys/mx30_firmware
< 16.0.4
Published
Dec 08, 2023
Tracked Since
Feb 18, 2026