CVE-2023-49959

CRITICAL

PROFINET-INspektor NT <= 2.4.0 - Remote Command Injection via Crafted Filename Parameter

Title source: llm

Description

In Indo-Sol PROFINET-INspektor NT through 2.4.0, a command injection vulnerability in the gedtupdater service of the firmware allows remote attackers to execute arbitrary system commands with root privileges via a crafted filename parameter in POST requests to the /api/updater/ctrl/start_update endpoint.

References (2)

Core 2

Core References

Third Party Advisory

https://code-white.com/public-vulnerability-list/

Product

https://www.indu-sol.com/en/products/profinet/diagnostics/profinet-inspektorr-nt/

Scores

CVSS v3 9.8

EPSS 0.0138

EPSS Percentile 68.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (1)

indu-sol/profinet-inspektor_nt < 2.4.1

Published Feb 26, 2024

Tracked Since Feb 18, 2026