CVE-2023-49226

Vulnerability

The vulnerability is a command injection flaw in the traceroute feature of the administration console in Peplink Balance Two devices running firmware versions prior to 8.4.0. An authenticated user with admin privileges can inject arbitrary commands through the traceroute input, which are executed as root.

Exploitation

An attacker must have administrative access to the Peplink Balance Two administration console. No user interaction is required beyond the attacker's own actions. The attacker can craft a special traceroute request containing malicious command payloads, which are then interpreted and executed by the underlying system.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges. This results in full compromise of the device, including the ability to read, modify, or delete any data, install malware, or pivot to other network resources.

Mitigation

The issue is fixed in Peplink Balance Two firmware version 8.4.0. Users should upgrade to this version or later. There are no known workarounds for devices that cannot be updated. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.