CVE-2023-5747

Command injection via wave install file

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Bashis, a Security Researcher at IPVM has found a flaw that allows for a remote code execution during the installation of Wave on the camera device. The Wave server application in camera device was vulnerable to command injection allowing an attacker to run arbitrary code. HanwhaVision has released patched firmware for the highlighted flaw. Please refer to the hanwhavision security report for more information and solution."

Bashis, es un Security Researcher at IPVM, encontró una falla que permite la ejecución remota de código durante la instalación de Wave en el dispositivo de la cámara. La aplicación del servidor Wave en el dispositivo de la cámara era vulnerable a la inyección de comandos, lo que permitía a un atacante ejecutar código arbitrario. HanwhaVision ha lanzado un firmware parcheado para la falla resaltada. Consulte el informe de seguridad de hanwhavision para obtener más información y soluciones".

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-24 CVE Reserved
2023-11-13 CVE Published
2024-08-02 CVE Updated
2024-10-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-345: Insufficient Verification of Data Authenticity
CWE-347: Improper Verification of Cryptographic Signature

CAPEC

CAPEC-248: Command Injection

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.hanwhavision.com/wp-content/uploads/2023/11/Camera-Vulnerability-Report-CVE-2023-5747_20231113.pdf	2023-11-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hanwhavision Search vendor "Hanwhavision"	Wave Server Software Search vendor "Hanwhavision" for product "Wave Server Software"	< 5.1.1.37647 Search vendor "Hanwhavision" for product "Wave Server Software" and version " < 5.1.1.37647"	-	Affected	in	Hanwhavision Search vendor "Hanwhavision"	Pno-a6081r-e1t Search vendor "Hanwhavision" for product "Pno-a6081r-e1t"	-	-	Safe
Hanwhavision Search vendor "Hanwhavision"	Pno-a6081r-e1t Firmware Search vendor "Hanwhavision" for product "Pno-a6081r-e1t Firmware"	2.21.02 Search vendor "Hanwhavision" for product "Pno-a6081r-e1t Firmware" and version "2.21.02"	-	Affected	in	Hanwhavision Search vendor "Hanwhavision"	Pno-a6081r-e1t Search vendor "Hanwhavision" for product "Pno-a6081r-e1t"	-	-	Safe
Hanwhavision Search vendor "Hanwhavision"	Wave Server Software Search vendor "Hanwhavision" for product "Wave Server Software"	< 5.1.1.37647 Search vendor "Hanwhavision" for product "Wave Server Software" and version " < 5.1.1.37647"	-	Affected	in	Hanwhavision Search vendor "Hanwhavision"	Pno-a6081r-e2t Search vendor "Hanwhavision" for product "Pno-a6081r-e2t"	-	-	Safe
Hanwhavision Search vendor "Hanwhavision"	Pno-a6081r-e2t Firmware Search vendor "Hanwhavision" for product "Pno-a6081r-e2t Firmware"	2.21.02 Search vendor "Hanwhavision" for product "Pno-a6081r-e2t Firmware" and version "2.21.02"	-	Affected	in	Hanwhavision Search vendor "Hanwhavision"	Pno-a6081r-e2t Search vendor "Hanwhavision" for product "Pno-a6081r-e2t"	-	-	Safe