← Back to CVE List

CVE-2023-43744

Published: 2023-12-08T01:15Z
Last Modified: 2024-11-21T08:24Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt