CVE-2023-32350
moderate-risk
Published 2023-05-22
Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.
Do I need to act?
-
0.30% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10
High
ADJACENT_NETWORK
/ LOW complexity
Affected Products (18)
Rut200 Firmware
Rut240 Firmware
Rut241 Firmware
Rut300 Firmware
Rut360 Firmware
Rut901 Firmware
Rut950 Firmware
Rut951 Firmware
Rut955 Firmware
Rut956 Firmware
Rutx08 Firmware
Rutx09 Firmware
Rutx10 Firmware
Rutx11 Firmware
Rutx12 Firmware
Rutx14 Firmware
Rutx50 Firmware
Rutxr1 Firmware
Affected Vendors
References (2)
Third Party Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08
Third Party Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08
45
/ 100
moderate-risk
Severity
25/34 · High
Exploitability
1/34 · Minimal
Exposure
19/34 · Moderate