Arbitrary Remote Command Execution in Connected IO v2.1.0 and Prior

Arbitrary Remote Command Execution in Connected IO v2.1.0 and Prior

CVE-2023-33374 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Connected IO v2.1.0 and prior has a command as part of its communication protocol allowing the management platform to specify arbitrary OS commands for devices to execute. Attackers abusing this dangerous functionality may issue all devices OS commands to execute, resulting in arbitrary remote command execution.

Learn more about our Web Application Penetration Testing UK.