HIGH🇵🇱 Wersja polska

CVE-2023-35194

CVSS 7.2v3.1pub. 2023-10-11upd. 2025-11-04

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset `0x4bde44`.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Peplink Surf Soho

    HW
    Peplink
    hw1
  • Peplink Surf Soho Firmware

    OS
    Peplink
    6.3.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
VPNCommand Injection
CWE
References

Related vulnerabilities

CVE-2023-27380HIGH7.2ten sam produkt

An OS command injection vulnerability exists in the admin.cgi USSD_send functionality of peplink Surf SOHO HW1...

CVE-2023-28381HIGH7.2ten sam produkt

An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SO...

CVE-2023-34356HIGH7.2ten sam produkt

An OS command injection vulnerability exists in the data.cgi xfer_dns functionality of peplink Surf SOHO HW1 v...

CVE-2023-35193HIGH7.2ten sam produkt

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf ...

CVE-2020-24246HIGH7.5ten sam produkt

Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filem...