2023-3-01 Unauthenticated Command Injection EG7035-M11 CPE Series

Blake Volk
Blake Volk
  • Updated

First Published:

2023 March 1

Last Updated:

2023 March 1


Upgrade to 2.25.26


Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery. More information regarding CVE-2023-1097 can be reviewed here: CVE-2023-1097

Affected Products: 

  • EG7035-M11


Baicells has resolved this vulnerability in software version BaiCE_BM_2.5.26 and later. Baicells recommends that all customers currently running an earlier version of BaiCE_BM firmware upgrade their products to the 2.5.26 firmware. Firmware can be downloaded from our community page or upgraded via OMC. 


BaiCE_BM_2.5.26:  Firmware Download

Was this article helpful?




Article is closed for comments.