Critical Vulnerability Found in Dasan Networks W-Web Software – Update Now!

CVSScvssV3_1: 9.8

According to a new CVE report, Dasan Networks’ W-Web software versions 1.22 through 1.27 contain a severe command injection vulnerability.

The vulnerability, tracked as CVE-2023-42495, has been given a CVSS score of 9.8 out of 10, meaning it is easily exploitable and can allow a remote attacker to execute arbitrary commands on the affected system with full privileges.

W-Web is a web server management tool. The vulnerability arises due to improper sanitization of special elements when using OS commands. A malicious actor could craft a specially crafted request that inserts OS commands into the W-Web software. If exploited, this would allow the attacker to take full control of the underlying operating system.

With access to the OS, an attacker could then install programs, view, change or delete data, create new accounts with full access rights, and more. They could use the compromised server to launch attacks on other internal systems within the network as well.

If you are running Dasan Networks W-Web versions 1.22 through 1.27, you are urged to immediately update to the latest version to patch this vulnerability. Removing or disabling the vulnerable component may also help reduce risk until an update is available. Keeping systems up to date is also important for ongoing protection against newly discovered threats.