CVE-2023-37567

Description

Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a remote unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port of the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, and LAN-W301NR all versions.

References

Link	Tags
https://www.elecom.co.jp/news/security/20230810-01/
https://www.elecom.co.jp/news/security/20230711-01/	vendor advisory
https://jvn.jp/en/vu/JVNVU91850798/	third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-37567?: CVE-2023-37567 has been scored as a critical severity vulnerability.
How to fix CVE-2023-37567?: To fix CVE-2023-37567, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-37567 being actively exploited in the wild?: It is possible that CVE-2023-37567 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-37567?: CVE-2023-37567 affects ELECOM CO.,LTD. WRC-1167GHBK3-A, ELECOM CO.,LTD. WRC-F1167ACF2, ELECOM CO.,LTD. WRC-600GHBK-A, ELECOM CO.,LTD. WRC-733FEBK2-A, ELECOM CO.,LTD. WRC-1467GHBK-A, ELECOM CO.,LTD. WRC-1900GHBK-A, LOGITEC CORPORATION LAN-W301NR.

Description

Category

CWE-77 – Improper Neutralization of Special Elements used in a Command ('Command Injection')

References

Frequently Asked Questions