CVE-2026-23759 (GCVE-0-2026-23759)
Vulnerability from cvelistv5 – Published: 2026-03-17 15:20 – Updated: 2026-03-17 16:09
VLAI?
Title
Perle IOLAN STS/SCS Authenticated Command Injection via 'shell ps'
Summary
Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell 'ps' command does not perform proper argument sanitization and passes user-supplied parameters into an 'sh -c' invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the 'ps' subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Perle Systems | IOLAN STS |
Affected:
0 , < 6.0
(semver)
|
|||||||
|
|||||||||
Credits
Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.
Omar Crespo, Pentester, GM Sectec, Corp.
VulnCheck
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T16:09:03.805747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T16:09:08.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IOLAN STS",
"vendor": "Perle Systems",
"versions": [
{
"lessThan": "6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "IOLAN SCS",
"vendor": "Perle Systems",
"versions": [
{
"lessThan": "6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."
},
{
"lang": "en",
"type": "finder",
"value": "Omar Crespo, Pentester, GM Sectec, Corp."
},
{
"lang": "en",
"type": "coordinator",
"value": "VulnCheck"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell \u0027ps\u0027 command does not perform proper argument sanitization and passes user-supplied parameters into an \u0027sh -c\u0027 invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the \u0027ps\u0027 subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system."
}
],
"value": "Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell \u0027ps\u0027 command does not perform proper argument sanitization and passes user-supplied parameters into an \u0027sh -c\u0027 invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the \u0027ps\u0027 subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T15:20:34.202Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.perle.com/downloads/server_sds_sts_rackmount.shtml"
},
{
"tags": [
"product"
],
"url": "https://www.perle.com/support_services/documentation_pdfs/iolan_scs-sds-sts_ug.pdf"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/perle-iolan-sts-scs-authenticated-command-injection-via-shell-ps"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eThe vendor has stated that the IOLAN SCG and SCR models do not contain this vulnerable functionality.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The vendor has stated that the IOLAN SCG and SCR models do not contain this vulnerable functionality."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Perle IOLAN STS/SCS Authenticated Command Injection via \u0027shell ps\u0027",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23759",
"datePublished": "2026-03-17T15:20:10.743Z",
"dateReserved": "2026-01-15T18:42:20.938Z",
"dateUpdated": "2026-03-17T16:09:08.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23759\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-03-17T16:16:20.127\",\"lastModified\":\"2026-03-18T14:52:44.227\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell \u0027ps\u0027 command does not perform proper argument sanitization and passes user-supplied parameters into an \u0027sh -c\u0027 invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the \u0027ps\u0027 subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system.\"},{\"lang\":\"es\",\"value\":\"Modelos de servidor terminal Perle IOLAN STS/SCS con versiones de firmware anteriores a la 6.0 permiten la inyecci\u00f3n de comandos del sistema operativo autenticada a trav\u00e9s de la shell restringida a la que se accede por Telnet o SSH. El comando \u0027ps\u0027 de la shell no realiza una sanitizaci\u00f3n adecuada de los argumentos y pasa par\u00e1metros proporcionados por el usuario a una invocaci\u00f3n de \u0027sh -c\u0027 que se ejecuta como root. Un atacante autenticado que puede iniciar sesi\u00f3n en el dispositivo puede inyectar metacaracteres de shell despu\u00e9s del subcomando \u0027ps\u0027 para ejecutar comandos arbitrarios del sistema operativo con privilegios de root, lo que lleva a un compromiso total del sistema operativo subyacente.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://www.perle.com/downloads/server_sds_sts_rackmount.shtml\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.perle.com/support_services/documentation_pdfs/iolan_scs-sds-sts_ug.pdf\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/perle-iolan-sts-scs-authenticated-command-injection-via-shell-ps\",\"source\":\"disclosure@vulncheck.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23759\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-17T16:09:03.805747Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-17T16:09:05.704Z\"}}], \"cna\": {\"title\": \"Perle IOLAN STS/SCS Authenticated Command Injection via \u0027shell ps\u0027\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Omar Crespo, Pentester, GM Sectec, Corp.\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"VulnCheck\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.6, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Perle Systems\", \"product\": \"IOLAN STS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Perle Systems\", \"product\": \"IOLAN SCS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor has stated that the IOLAN SCG and SCR models do not contain this vulnerable functionality.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan\u003eThe vendor has stated that the IOLAN SCG and SCR models do not contain this vulnerable functionality.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.perle.com/downloads/server_sds_sts_rackmount.shtml\", \"tags\": [\"product\"]}, {\"url\": \"https://www.perle.com/support_services/documentation_pdfs/iolan_scs-sds-sts_ug.pdf\", \"tags\": [\"product\"]}, {\"url\": \"https://www.vulncheck.com/advisories/perle-iolan-sts-scs-authenticated-command-injection-via-shell-ps\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell \u0027ps\u0027 command does not perform proper argument sanitization and passes user-supplied parameters into an \u0027sh -c\u0027 invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the \u0027ps\u0027 subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell \u0027ps\u0027 command does not perform proper argument sanitization and passes user-supplied parameters into an \u0027sh -c\u0027 invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the \u0027ps\u0027 subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-03-17T15:20:34.202Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-23759\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-17T16:09:08.925Z\", \"dateReserved\": \"2026-01-15T18:42:20.938Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-03-17T15:20:10.743Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…