PatchSiren cyber security CVE debrief

CVE-2023-3049 TMT CVE debrief

CVE-2023-3049 is a critical vulnerability in TMT Lockcell before version 15. Public records describe an unrestricted upload of a file with a dangerous type that can lead to command injection. NVD rates the issue 9.8/10, indicating network-reachable impact with no privileges or user interaction required.

Vendor: TMT
Product: Lockcell
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-06-13
Original CVE updated: 2024-11-21
Advisory published: 2023-06-13
Advisory updated: 2024-11-21

Who should care

Administrators and operators of TMT Lockcell systems running versions before 15, especially teams responsible for device management, exposed web services, file upload handling, and incident response.

Technical summary

The NVD record classifies this issue as CVE-2023-3049 with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting a remotely reachable issue with high confidentiality, integrity, and availability impact. The weakness is mapped to CWE-434 (unrestricted upload of file with dangerous type). The CVE description states that the issue affects Lockcell before 15 and can result in command injection. The supplied references also point to USOM and a third-party advisory that discuss the same issue.

Defensive priority

Immediate / Critical

Recommended defensive actions

Upgrade TMT Lockcell to version 15 or later, or the first fixed release if your vendor guidance names a newer patch.
Inventory all Lockcell deployments and confirm whether any systems are running versions before 15.
Review any file upload functionality associated with Lockcell and restrict uploads to an explicit allowlist of safe file types.
Ensure uploaded files are stored outside executable paths and cannot be interpreted as code or scripts by the host system.
Monitor for unusual upload activity, unexpected command execution, and any signs of post-exploitation on exposed systems.
If exposed systems may have been reachable before patching, review logs and configuration changes for evidence of tampering or abuse.

Evidence notes

The debrief is based on the supplied CVE record and NVD metadata. The CVE description states: 'Unrestricted Upload of File with Dangerous Type vulnerability in TMT Lockcell allows Command Injection' and notes that the issue affects Lockcell before 15. NVD supplies the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and maps the weakness to CWE-434. The reference set includes the CVE record, NVD detail page, and third-party advisories from USOM and fordefence.

Official resources

CVE-2023-3049 CVE record
CVE.org
CVE-2023-3049 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory

Publicly disclosed on 2023-06-13 and last modified in the supplied record on 2024-11-21.