关键漏洞信息 漏洞名称: BYTEVALUE Intelligent Flow Control Router Command Injection 严重性: CRITICAL 日期: October 14, 2025 影响范围: All versions are presumed vulnerable based on limited information CVE编号: CVE-2023-7311 CWE编号: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVSS评分: 9.3 CVSS V4向量: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 参考资料: - CSDN Disclosure & PoC - Internet Storm Center Analysis - Nuclei Template 发现者: Anonymous User on CSDN 描述: - BYTEVALUE Intelligent Flow Control Router contains a command injection vulnerability via the /goform/webRead/open endpoint. The 'path' parameter is not properly validated and is echoed into a shell context, allowing an attacker to inject and execute arbitrary shell commands on the device. Successful exploitation can lead to writing backdoors, privilege escalation on the host, and full compromise of the router and its management functions. This vulnerability has been targeted by the Rondo and Mirai botnets.