8.8

CVE-2023-40145

Weintek cMT3000 HMI Web CGI OS Command Injection









In Weintek's cMT3000 HMI Web CGI device, an anonymous attacker can execute arbitrary commands after login to the device.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WeintekCmt-fhd Firmware Version < 20210212
   WeintekCmt-fhd Version-
WeintekCmt-hdm Firmware Version < 20210206
   WeintekCmt-hdm Version-
WeintekCmt3071 Firmware Version < 20210220
   WeintekCmt3071 Version-
WeintekCmt3072 Firmware Version < 20210220
   WeintekCmt3072 Version-
WeintekCmt3090 Firmware Version < 20210220
   WeintekCmt3090 Version-
WeintekCmt3103 Firmware Version < 20210220
   WeintekCmt3103 Version-
WeintekCmt3151 Firmware Version < 20210220
   WeintekCmt3151 Version-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.17% 0.633
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ics-cert@hq.dhs.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://dl.weintek.com/public/Document/TEC/TEC23005E_cMT_Web_Security_Update.pdf
Vendor Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12
Third Party Advisory
US Government Resource