CVE-2023-25911 – CVE-2023-25911 is a critical OS command injecti... (How to Fix)

Q: What is the severity of CVE-2023-25911?

CVE-2023-25911 has a CVSS score of 9.9 (CRITICAL). CVE-2023-25911 is a critical OS command injection vulnerability in Danfoss AK-EM100 web applications that allows authenticated attackers to execute arbitrary operating system commands. This affects organizations using Danfoss AK-EM100 devices with web interfaces exposed. Attackers can gain full system control through the web application parameters.

📋 TL;DR

CVE-2023-25911 is a critical OS command injection vulnerability in Danfoss AK-EM100 web applications that allows authenticated attackers to execute arbitrary operating system commands. This affects organizations using Danfoss AK-EM100 devices with web interfaces exposed. Attackers can gain full system control through the web application parameters.

💻 Affected Systems

Products:

Danfoss AK-EM100

Versions: All versions prior to patched versions (specific version information not provided in references)

Operating Systems: Embedded systems running Danfoss AK-EM100 firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface. The vulnerability exists in web application parameters.

📦 What is this software?

Ak Em100 Firmware by Danfoss

View all CVEs affecting Ak Em100 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, system destruction, or lateral movement within the network.

🟠

Likely Case

Attackers gain shell access to the device, allowing them to install malware, exfiltrate data, or use the device as a pivot point for further attacks.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to the specific device, though it remains vulnerable to authenticated attackers.

🌐 Internet-Facing: HIGH - Web applications exposed to the internet can be directly targeted by authenticated attackers.

🏢 Internal Only: HIGH - Even internally, authenticated users or compromised accounts can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authentication is obtained. The vulnerability is in web parameters, making it easy to craft malicious requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Specific version not provided in references - check vendor advisory

Vendor Advisory: https://divd.nl/cves/CVE-2023-25911

Restart Required: Yes

Instructions:

1. Check Danfoss security advisory for patch availability. 2. Download latest firmware from Danfoss support portal. 3. Apply firmware update following manufacturer instructions. 4. Restart device to apply changes. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Danfoss AK-EM100 devices from critical networks and restrict access to authorized users only.

Access Control Hardening

all

Implement strict authentication controls, use strong passwords, and limit user privileges to minimum necessary.

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices
Monitor for suspicious command execution attempts and web application parameter manipulation

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against patched versions in Danfoss advisory. Test web application parameters for command injection vulnerabilities.

Check Version:

Check web interface system information page or use manufacturer-specific CLI commands if available

Verify Fix Applied:

Verify firmware version matches patched version from vendor. Test previously vulnerable parameters to ensure command injection is no longer possible.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Web application parameter manipulation attempts
Authentication logs showing access from unexpected sources

Network Indicators:

Unusual outbound connections from Danfoss devices
Suspicious HTTP requests to web application parameters

SIEM Query:

source="danfoss-ak-em100" AND (event="command_execution" OR param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*")

📊 Metadata

CVE ID: CVE-2023-25911

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: June 11, 2023

Last Updated: January 17, 2025

🔗 References

https://csirt.divd.nl/CVE-2023-25911/ Third Party Advisory
https://csirt.divd.nl/DIVD-2023-00021/ Third Party Advisory
https://csirt.divd.nl/DIVD-2023-00021 Third Party Advisory
https://divd.nl/cves/CVE-2023-25911 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25911, you might also want to check these: