CVE-2023-2625

Summary

A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacker can inject shell commands through a particular field of the web user interface that will be executed by the system.

Affected Software

VendorProductVersion RangeStatus
Hitachi EnergyTXpert Hub CoreTec 4TXpert Hub CoreTec 4 version 2.0.*affected
Hitachi EnergyTXpert Hub CoreTec 4TXpert Hub CoreTec 4 version 2.1.*affected
Hitachi EnergyTXpert Hub CoreTec 4TXpert Hub CoreTec 4 version 2.2.*affected
Hitachi EnergyTXpert Hub CoreTec 4TXpert Hub CoreTec 4 version 2.3.*affected
Hitachi EnergyTXpert Hub CoreTec 4TXpert Hub CoreTec 4 version 2.4.*affected
Hitachi EnergyTXpert Hub CoreTec 4TXpert Hub CoreTec 4 version 3.0.1unaffected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Workarounds

Apply mitigation as described in the cybersecurity advisory Mitigation Factors/Workarounds Section.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References