VYPR
High severity7.2NVD Advisory· Published Dec 8, 2023· Updated Jun 17, 2026

CVE-2023-43744

CVE-2023-43744

Description

An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.

Affected products

3
  • Zultys/MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30description
  • Zultys/MX-SEllm-fuzzy
    Range: <17.0.10 patch 17161, <16.04 patch 16109
  • Range: <17.0.10 patch 17161, <16.04 patch 16109

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.