CVE-2023-7304

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-7304
CVSS

No CVSS.

R

uijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign.

References
Link Resource
https://cn-sec.com/archives/2284248.html
https://www.vulncheck.com/advisories/ruijie-rg-uac-nmc-sync-php-command-injection
Configurations

No configuration.

History

21 Nov 2025, 17:15

Type Values Removed Values Added
Summary (en) Ruijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign. (en) Ruijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign.

15 Oct 2025, 15:16

Type Values Removed Values Added
Summary (en) Ruijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the Rondo botnet. (en) Ruijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign.

15 Oct 2025, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-10-15 02:15

Updated : 2025-11-21 17:15

NVD link : CVE-2023-7304

Mitre link : CVE-2023-7304

CVE.ORG link : CVE-2023-7304

JSON object : View

Products Affected

No product.

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')