CVE-2023-43744 Information

Description

An OS command injection vulnerability in Zultys MX-SE MX-SE II MX-E MX-Virtual MX250 and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a \Patch Manager\ section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.

Reference

https://mxvirtual.com https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md