PatchSiren cyber security CVE debrief
CVE-2023-35064 Satos CVE debrief
CVE-2023-35064 is a critical SQL injection vulnerability in Satos Mobile affecting versions before 20230607. The published CVE record and NVD data indicate the issue can be reached through SOAP parameter tampering, and NVD rates it 9.8 (CVSS 3.1) with network access, no privileges required, and no user interaction. In practical defensive terms, this is a high-priority fix for any environment exposing Satos Mobile services.
- Vendor
- Satos
- Product
- Satos Mobile
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-06-13
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-06-13
- Advisory updated
- 2024-11-21
Who should care
Security teams, application owners, and administrators responsible for Satos Mobile deployments should treat this as urgent. Developers or integrators handling SOAP request parsing and parameter validation should also review the affected code path.
Technical summary
The CVE description states there is an improper neutralization of special elements used in an SQL command (CWE-89) in Satos Mobile before 20230607. NVD metadata classifies the weakness as SQL injection and provides a vulnerable CPE range ending before version 20230607. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates the issue is network exploitable, low complexity, and can lead to severe confidentiality, integrity, and availability impact. The source metadata also notes SOAP parameter tampering as the entry point.
Defensive priority
Critical. Based on the published CVSS 9.8 vector and the lack of required privileges or user interaction, this should be remediated as soon as possible.
Recommended defensive actions
- Upgrade Satos Mobile to version 20230607 or later, consistent with the vulnerable version boundary in the NVD CPE criteria.
- Review SOAP request handling and parameter validation paths for SQL injection risk, especially where user-controlled values are incorporated into database queries.
- Confirm that exposed Satos Mobile endpoints are patched or otherwise protected before allowing external access.
- Monitor application and database logs for SQL syntax errors, unusual query patterns, or unexpected SOAP parameters that may indicate probing.
- If immediate upgrading is not possible, reduce exposure by restricting network access to the affected service and applying compensating controls while remediation is scheduled.
Evidence notes
The CVE description explicitly states SQL Injection in Satos Mobile before 20230607. NVD metadata lists CWE-89, a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a vulnerable CPE ending before version 20230607. The supplied USOM reference URL is marked broken in the source metadata, so the debrief relies on the CVE record and NVD fields provided in the corpus.
Official resources
-
CVE-2023-35064 CVE record
CVE.org
-
CVE-2023-35064 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Broken Link
Published by the CVE Program on 2023-06-13. The supplied record shows a later NVD modification on 2024-11-21; that date reflects record maintenance, not the original issue date.