Peplink Security Advisory: Firmware 8.3.0 - Command Injection (CVE-2023-49226).

Recently, we have communicated with a security research lab that has informed us that they have found a vulnerability in Peplink firmware version 8.3.0. Details are below:

OS command injection (CVE-2023-49226)

  • The reference link can be found here.

The “CLI SSH & Console” option is disabled by default, so it is not exposed to the vulnerability with the default setting. Or, if the router is running firmware 8.3.0 and the option has been turned ON, you may turn it OFF to prevent possible unauthorized access.

The vulnerability was identified in the Peplink Balance, MAX, MediaFast, Surf SOHO, and FusionHub product families in the firmware version 8.3.0.

It has been fixed in the firmware version 8.4.0, which can be downloaded here.

Published: 2023-12-27

1 Like