2023-3-01 Unauthenticated Command Injection EG7035-M11 CPE Series

Blake Volk
Blake Volk
  • Updated

First Published:

2023 March 1

Last Updated:

2023 March 1

Workarounds:

Upgrade to 2.25.26

Summary:

Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery. More information regarding CVE-2023-1097 can be reviewed here: CVE-2023-1097

Affected Products: 

  • EG7035-M11

Resolution:

Baicells has resolved this vulnerability in software version BaiCE_BM_2.5.26 and later. Baicells recommends that all customers currently running an earlier version of BaiCE_BM firmware upgrade their products to the 2.5.26 firmware. Firmware can be downloaded from our community page or upgraded via OMC. 

 

BaiCE_BM_2.5.26:  Firmware Download

Was this article helpful?

/

Comments

0 comments

Article is closed for comments.