CVE-2023-4990 – A directory traversal vulnerability in MCL-Net ... (How to Fix)

Q: What is the severity of CVE-2023-4990?

CVE-2023-4990 has a CVSS score of 8.3 (HIGH). A directory traversal vulnerability in MCL-Net versions before 4.6 Update Package (P01) allows attackers to read arbitrary files on the system. This affects organizations using vulnerable MCL-Net software for mobility platform management.

📋 TL;DR

A directory traversal vulnerability in MCL-Net versions before 4.6 Update Package (P01) allows attackers to read arbitrary files on the system. This affects organizations using vulnerable MCL-Net software for mobility platform management.

💻 Affected Systems

Products:

MCL-Net

Versions: All versions prior to 4.6 Update Package (P01)

Operating Systems: Not specified, likely multiple

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the file reading functionality of MCL-Net software.

📦 What is this software?

Espeak Ng by Espeak Ng

View all CVEs affecting Espeak Ng →

Mcl Net Firmware by Mcl Collection

View all CVEs affecting Mcl Net Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, configuration files, or credential files, potentially leading to full system compromise.

🟠

Likely Case

Attackers read configuration files containing sensitive information or application data.

🟢

If Mitigated

Limited to reading non-sensitive files if proper file permissions and access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal vulnerabilities typically have low exploitation complexity and may not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6 Update Package (P01)

Vendor Advisory: https://www.mcl-mobilityplatform.com/downloads.php

Restart Required: Yes

Instructions:

1. Download the 4.6 Update Package (P01) from the vendor website. 2. Apply the update following vendor instructions. 3. Restart the MCL-Net service or system.

🔧 Temporary Workarounds

Restrict file access permissions

linux

Set strict file permissions on sensitive directories and files to limit what can be read.

chmod 600 /path/to/sensitive/files
chown root:root /path/to/sensitive/files

Implement web application firewall rules

all

Block directory traversal patterns in HTTP requests.

🧯 If You Can't Patch

Isolate the vulnerable system from untrusted networks
Implement strict network segmentation and access controls

🔍 How to Verify

Check if Vulnerable:

Check MCL-Net version number in application interface or configuration files.

Check Version:

Check application documentation for version command, typically in admin interface.

Verify Fix Applied:

Verify version shows 4.6 Update Package (P01) or later after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns
HTTP requests containing '../' sequences
Access to files outside expected directories

Network Indicators:

HTTP requests with directory traversal payloads (e.g., ../../../etc/passwd)

SIEM Query:

http.url:*../* AND (http.status:200 OR http.status:404)

📊 Metadata

CVE ID: CVE-2023-4990

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-22

Published: October 11, 2023

Last Updated: May 1, 2025

🔗 References

https://www.mcl-mobilityplatform.com/downloads.php Product,Release Notes
https://www.mcl-mobilityplatform.com/downloads.php Product,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4990, you might also want to check these: