CVE-2023-33374

Published: Aug 4, 2023Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Connected IO v2.1.0 and prior has a command as part of its communication protocol allowing the management platform to specify arbitrary OS commands for devices to execute. Attackers abusing this dangerous functionality may issue all devices OS commands to execute, resulting in arbitrary remote command execution.

Affected (1)

Products: Connectedio: Connected Io

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Connectedio Connected Io	Up to 2.1.0

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://claroty.com/team82/disclosure-dashboard/cve-2023-33374

Source: cve@mitre.org

Third Party Advisory

https://www.connectedio.com/products/routers

Source: cve@mitre.org

Product

https://claroty.com/team82/disclosure-dashboard/cve-2023-33374

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.connectedio.com/products/routers

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.