Peplink Security Advisory: Firmware 8.3.0 - Command Injection (CVE-2023-49226).

Background
Recently, we have communicated with a security research lab that has informed us that they have found a vulnerability in Peplink firmware version 8.3.0. Details are below:

OS command injection (CVE-2023-49226)

  • The reference link can be found here.

NOTE:
The “CLI SSH & Console” option is disabled by default, so it is not exposed to the vulnerability with the default setting. Or, if the router is running firmware 8.3.0 and the option has been turned ON, you may turn it OFF to prevent possible unauthorized access.

Products
The vulnerability was identified in the Peplink Balance, MAX, MediaFast, Surf SOHO, and FusionHub product families in the firmware version 8.3.0.

Solution
It has been fixed in the firmware version 8.4.0, which can be downloaded here.

Published: 2023-12-27

1 Like