Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2023-24215 -- CVSS 9.1 Vulnerability Briefing

CVE-2023-24215 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2023-24215 is an unauthenticated access control bypass affecting the /uci/get/ endpoint in NOVUS AirGate 4G firmware version 1.1.16, which exposes administrator credentials to any unauthenticated attacker with network access to the device.

Technical Detail

The flaw is an incorrect access control implementation on the /uci/get/ API endpoint, which fails to enforce authentication before processing POST requests. An attacker can craft a POST request to this endpoint and retrieve administrator credentials directly from the device without any prior authentication. Successful exploitation results in full administrative compromise of the affected gateway, enabling configuration changes, traffic interception, lateral movement into connected networks, or use of the device as a network pivot point.

Exploitation Status

No known exploit code has been publicly documented for this vulnerability, and it is not listed in the CISA Known Exploited Vulnerabilities catalog as of the date of this briefing. Despite the absence of confirmed public exploit tooling, the simplicity of the attack vector, a crafted unauthenticated POST request, means the barrier to exploitation is low and functional exploitation does not require sophisticated capability.

Who Is Targeting This

Confirmed (ATTAX-verified): Medusa Group (origin unknown, motivation unknown), FIN7 (origin unknown, motivation unknown), APT28 (Russia, nation-state motivation), UNC3886 (China, nation-state motivation), and APT3 (China, nation-state motivation) have all been associated with this vulnerability at high confidence. The presence of both financially motivated actors such as FIN7 and Medusa Group alongside nation-state actors with established network infrastructure targeting histories suggests broad interest across threat categories. No reported (research-inferred) actors are listed separately at this time.

What To Do

Organizations running NOVUS AirGate 4G devices should immediately verify whether firmware version 1.1.16 is deployed and apply any available vendor-supplied firmware update that addresses this access control flaw. If a patched firmware version is not yet available or cannot be immediately applied, restrict network access to the device management interface using firewall rules or ACLs to prevent untrusted hosts from reaching the /uci/get/ endpoint. Devices should not be exposed directly to the internet. Detection efforts should focus on anomalous unauthenticated POST requests to the /uci/get/ path in web server or gateway logs. Given the confirmed association with multiple high-capability threat actors including APT28 and UNC3886, this vulnerability should be treated as a priority remediation item in any environment where these devices are deployed, particularly in industrial, operational technology, or network edge contexts.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →