CVE-2023-49897 FXC CVE debrief

Who should care

Organizations that operate FXC AE1021 or AE1021PE devices, especially asset owners, network/security teams, and administrators responsible for device remediation and access control.

Technical summary

The public record identifies CVE-2023-49897 as an OS command injection vulnerability in FXC AE1021 and AE1021PE. CISA's KEV listing, dated 2023-12-21, places the issue in a known-exploited category and includes remediation guidance that points to vendor mitigations or discontinuing use of the product if mitigations are unavailable. No additional exploit mechanics are provided in the supplied corpus.

Defensive priority

High / urgent. This is a KEV-listed issue with a remediation deadline in the supplied timeline (2024-01-11), so affected deployments should be triaged and remediated as quickly as possible.

Recommended defensive actions

• Inventory all FXC AE1021 and AE1021PE devices to confirm where they are deployed.
• Apply vendor-provided mitigations or fixes from the official FXC advisory referenced by CISA, if available.
• If mitigations are unavailable, discontinue use or remove the product as directed in the CISA notes.
• Restrict administrative and management access to affected devices, especially from untrusted networks.
• Review device and network logs for unusual configuration changes or unexpected command-related activity.
• Verify that remediation is complete across all sites before the CISA KEV due date.

Evidence notes

CISA's KEV entry for this CVE was published on 2023-12-21 and marks the vulnerability as known exploited. The KEV metadata says: "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable." CISA's notes also reference the FXC advisory at https://www.fxc.jp/news/20231206 and the NVD detail page at https://nvd.nist.gov/vuln/detail/CVE-2023-49897. The supplied corpus does not include the full vendor advisory text.

Official resources