One of the vulnerabilities, identified as CVE-2023-36618, allows an authenticated attacker with low privileges to execute arbitrary PHP functions and operating system commands with root privileges through the affected products’ web interface. The second vulnerability, CVE-2023-36619, can be exploited by an unauthenticated attacker to access and execute certain scripts, potentially leading to a denial-of-service condition or system configuration changes.
While SEC Consult considers these vulnerabilities to have a critical impact, Atos has assigned them a ‘high severity’ rating based on the CVSS score. According to Johannes Greil, the head of SEC Consult Vulnerability Lab, attackers could gain full control over the system and modify its configuration if they have knowledge of low-privileged user credentials.
Notably, the affected web interface is typically not exposed to the internet, and no reachable systems were identified through a brief Shodan analysis. Atos has released patches to address these vulnerabilities and has provided workarounds to mitigate the risk of exploitation.
SEC Consult has published a technical advisory on these vulnerabilities, although proof-of-concept exploit code has not been made public.