CVE-2023-26866 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2023-26866?

CVE-2023-26866 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary commands with root privileges on GreenPacket OH736 WR-1200 Indoor Unit and OT-235 devices. Attackers can completely compromise affected devices before any authentication occurs. Organizations using these specific firmware versions are at risk.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary commands with root privileges on GreenPacket OH736 WR-1200 Indoor Unit and OT-235 devices. Attackers can completely compromise affected devices before any authentication occurs. Organizations using these specific firmware versions are at risk.

💻 Affected Systems

Products:

GreenPacket OH736 WR-1200 Indoor Unit
GreenPacket OT-235

Versions: M-IDU-1.6.0.3_V1.1 for WR-1200, MH-46360-2.0.3-R5-GP for OT-235

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations, no special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to install persistent backdoors, pivot to internal networks, intercept/modify network traffic, or use devices as botnet nodes.

🟠

Likely Case

Remote code execution leading to device compromise, data exfiltration, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows complete compromise from anywhere on the internet.

🏢 Internal Only: HIGH - Even internally, the pre-login nature makes devices vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code available on GitHub demonstrates remote command injection without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Check vendor website for firmware updates and apply if available.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate network segments with strict firewall rules.

Access Control Lists

all

Implement strict inbound filtering to limit access to device management interfaces.

🧯 If You Can't Patch

Immediately remove affected devices from internet-facing positions
Implement network monitoring for unusual outbound connections from these devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or SSH if accessible. Compare against affected versions.

Check Version:

Check via device web interface or manufacturer-specific CLI commands

Verify Fix Applied:

Verify firmware has been updated to a version not listed in affected versions.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful command execution
Suspicious process creation

Network Indicators:

Unusual outbound connections from device
Traffic to known malicious IPs
Unexpected SSH or reverse shell connections

SIEM Query:

Example: 'source="device_logs" AND ("command injection" OR "unauthorized command" OR suspicious shell commands)'

📊 Metadata

CVE ID: CVE-2023-26866

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: April 4, 2023

Last Updated: February 13, 2025

🔗 References

https://github.com/lionelmusonza/CVE-2023-26866 Third Party Advisory
https://github.com/lionelmusonza/CVE-2023-26866 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26866, you might also want to check these: