Peplink Security Advisory: Firmware 6.3.5 - OS command injection & Cross-Site Scripting (XSS) vulnerabilities

Recently, we have communicated with a security research lab that has informed us that they have found several vulnerabilities on Peplink firmware 6.3.5. Here are the details:

a. OS command injection
CVE-2023-27380, CVE-2023-28381, CVE-2023-34356, CVE-2023-35193, CVE-2023-35194

b. Cross-Site Scripting (XSS)

Products The vulnerabilities were identified in the Balance, MAX, MediaFast, Surf SOHO, and FusionHub product families for firmware version 6.3.5.

It has been fixed in the firmware version 8.3.0/8.4.0, it can be downloaded here.


Thanks for the Security Advisory, — one of the many things that makes Peplink great. I do have a question: From what I understand, there are two definitions for the HW1 designation within the Soho family. I am running a Surf Soho MK 3 with firmware 8.2.1. Is the Mk3 router affected by this Advisory? It appears that I am safe from the other Security Advisory issued today, but perhaps not this one? Thank you in advance for clarification.