CVE-2023-32349

8.0 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to modify validation variables in Teltonika RUT router firmware, enabling malicious parameters in the packet dump utility that can lead to arbitrary code execution. It affects organizations using Teltonika RUT routers with firmware version 00.07.03.4 or earlier.

💻 Affected Systems

Products:

• Teltonika RUT series routers

Versions: 00.07.03.4 and prior

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the UCI configuration utility, which may be enabled by default for management.

📦 What is this software?

Rut200 Firmware by Teltonika Networks

View all CVEs affecting Rut200 Firmware →

Rut240 Firmware by Teltonika Networks

View all CVEs affecting Rut240 Firmware →

Rut241 Firmware by Teltonika Networks

View all CVEs affecting Rut241 Firmware →

Rut300 Firmware by Teltonika Networks

View all CVEs affecting Rut300 Firmware →

Rut360 Firmware by Teltonika Networks

View all CVEs affecting Rut360 Firmware →

Rut901 Firmware by Teltonika Networks

View all CVEs affecting Rut901 Firmware →

Rut950 Firmware by Teltonika Networks

View all CVEs affecting Rut950 Firmware →

Rut951 Firmware by Teltonika Networks

View all CVEs affecting Rut951 Firmware →

Rut955 Firmware by Teltonika Networks

View all CVEs affecting Rut955 Firmware →

Rut956 Firmware by Teltonika Networks

View all CVEs affecting Rut956 Firmware →

Rutx08 Firmware by Teltonika Networks

View all CVEs affecting Rutx08 Firmware →

Rutx09 Firmware by Teltonika Networks

View all CVEs affecting Rutx09 Firmware →

Rutx10 Firmware by Teltonika Networks

View all CVEs affecting Rutx10 Firmware →

Rutx11 Firmware by Teltonika Networks

View all CVEs affecting Rutx11 Firmware →

Rutx12 Firmware by Teltonika Networks

View all CVEs affecting Rutx12 Firmware →

Rutx14 Firmware by Teltonika Networks

View all CVEs affecting Rutx14 Firmware →

Rutx50 Firmware by Teltonika Networks

View all CVEs affecting Rutx50 Firmware →

Rutxr1 Firmware by Teltonika Networks

View all CVEs affecting Rutxr1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full router compromise allowing attacker to intercept/modify network traffic, pivot to internal networks, and establish persistent access.

🟠

Likely Case

Router takeover enabling traffic monitoring, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if strong authentication controls prevent unauthorized access to the UCI configuration utility.

🌐 Internet-Facing: HIGH - Routers often have web interfaces exposed to the internet for management.

🏢 Internal Only: MEDIUM - Requires authenticated access but internal attackers or compromised accounts could exploit.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and knowledge of UCI configuration utility manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 00.07.03.4

Vendor Advisory: https://wiki.teltonika-networks.com/view/RUTX11_Firmware_Downloads

Restart Required: Yes

Instructions:

1. Download latest firmware from Teltonika support portal. 2. Log into router web interface. 3. Navigate to System > Backup/Flash Firmware. 4. Upload new firmware file. 5. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable UCI configuration utility

linux

Remove or disable access to the vulnerable UCI configuration interface

Copy

uci delete network.wan
uci commit
service network restart

Restrict management interface access

linux

Limit access to router management interface to trusted IPs only

Copy

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

• Implement strict network segmentation to isolate routers from critical assets
• Enable multi-factor authentication for router management interfaces

🔍 How to Verify

Check if Vulnerable:

Copy

Check firmware version via web interface: System > Overview > Firmware Version

Check Version:

Copy

cat /etc/os-release | grep VERSION

Verify Fix Applied:

Copy

Verify firmware version is above 00.07.03.4 and test UCI configuration changes are properly validated

📡 Detection & Monitoring

Log Indicators:

• Unexpected UCI configuration changes
• Unauthorized access to /usr/sbin/packetdump
• Suspicious process execution from packet dump utility

Network Indicators:

• Unusual outbound connections from router
• Traffic redirection patterns
• DNS hijacking attempts

SIEM Query:

Copy

source="router.log" AND ("uci set" OR "packetdump") AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2023-32349

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-15

Published: May 22, 2023

Last Updated: November 21, 2024

🔗 References

• https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08 Third Party Advisory,US Government Resource
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08 Third Party Advisory,US Government Resource

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32349, you might also want to check these:

CVE-2024-4326 9.8

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable v...

Same vulnerability type (CWE-15)

CVE-2026-22708 9.8

This vulnerability in Cursor AI code editor allows attackers to execute shell built-ins without allo...

Same vulnerability type (CWE-15)

CVE-2021-38453 9.1

This vulnerability allows attackers to interact with the Windows registry through exposed API functi...

Same vulnerability type (CWE-15)