← back
CVE-2023-7311

BYTEVALUE Intelligent Flow Control Router Command Injection

CVSS 9.3 CRITICALEPSS 1.9%CWE-78
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 1.9%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
15 Oct 2025Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
BYTEVALUE Intelligent Flow Control Router contains a command injection vulnerability via the /goform/webRead/open endpoint. The `path` parameter is not properly validated and is echoed into a shell context, allowing an attacker to inject and execute arbitrary shell commands on the device. Successful exploitation can lead to writing backdoors, privilege escalation on the host, and full compromise of the router and its management functions. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.