CVE-2023-48243

Summary

The vulnerability allows a remote attacker to upload arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request. By abusing this vulnerability, it is possible to obtain remote code execution (RCE) with root privileges on the device.

Affected Software

VendorProductVersion RangeStatus
RexrothNexo cordless nutrunner NXA015S-36V (0608842001)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA030S-36V (0608842002)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA050S-36V (0608842003)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXP012QD-36V (0608842005)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA015S-36V-B (0608842006)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA030S-36V-B (0608842007)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA050S-36V-B (0608842008)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXP012QD-36V-B (0608842010)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA011S-36V (0608842011)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA011S-36V-B (0608842012)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA065S-36V (0608842013)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXA065S-36V-B (0608842014)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXV012T-36V (0608842015)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo cordless nutrunner NXV012T-36V-B (0608842016)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo special cordless nutrunner (0608PE2272)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo special cordless nutrunner (0608PE2301)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo special cordless nutrunner (0608PE2514)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo special cordless nutrunner (0608PE2515)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo special cordless nutrunner (0608PE2666)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected
RexrothNexo special cordless nutrunner (0608PE2673)NEXO-OS V1000-Release <= NEXO-OS V1500-SP2affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References