CVE-2023-43321

Vulnerability

A file upload and command injection vulnerability exists in the Digital China Networks DCFW-1800-SDC (CTF platform) version 3.0 [1][2]. The flaw resides in the /sbin/cloudadmin.sh script, specifically within the update_system() function reachable from management menu option 9. The function accepts user-supplied SERVERIP and FILENAME parameters without sanitization and passes them to the wget command, allowing an authenticated attacker to control the URL and inject arbitrary arguments or commands [2].

Exploitation

An attacker must first authenticate to the device via SSH using the default credentials (username admin, password admin) [2]. Upon successful login, the management menu is presented. The attacker selects option 9 (Update System or Lesson) and provides a malicious FILENAME value containing shell metacharacters or additional wget options (e.g., --post-file or command substitution). The wget http://${SERVERIP}/${FILENAME} command is then executed with the unsanitized input, enabling arbitrary command execution [2].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary commands with root privileges on the device. This can be leveraged to upload arbitrary files, exfiltrate sensitive data, install persistent backdoors, or fully compromise the CTF platform [2]. The impact is high, as the attacker gains full control over the affected system.

Mitigation

As of the publication date (2023-10-04), no official fix or patched version has been released by Digital China Networks [1][2]. Users are advised to restrict SSH access to trusted administrators only, change default credentials immediately, and monitor for vendor updates. If possible, disable the update functionality or apply network-level restrictions to prevent exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.