Skip to main content

CVE-2023-48261: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Rexroth Nexo cordless nutrunner NXA015S-36V (0608842001)

Medium
VulnerabilityCVE-2023-48261cvecve-2023-48261cwe-89
Published: Wed Jan 10 2024 (01/10/2024, 13:07:22 UTC)
Source: CVE Database V5
Vendor/Project: Rexroth
Product: Nexo cordless nutrunner NXA015S-36V (0608842001)

Description

The vulnerability allows a remote unauthenticated attacker to read arbitrary content of the results database via a crafted HTTP request.

AI-Powered Analysis

AILast updated: 07/04/2025, 09:41:40 UTC

Technical Analysis

CVE-2023-48261 is a medium-severity SQL Injection vulnerability (CWE-89) found in the Rexroth Nexo cordless nutrunner model NXA015S-36V (0608842001), specifically affecting the NEXO-OS V1000-Release firmware. This vulnerability allows a remote, unauthenticated attacker to send specially crafted HTTP requests to the device, which improperly neutralizes special elements in SQL commands. As a result, the attacker can read arbitrary content from the device's results database. The vulnerability does not require any authentication or user interaction, and the attack vector is network-based (remote). The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with impact limited to confidentiality (read access to data) and no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue arises from insufficient input validation and sanitization of HTTP request parameters that are used directly in SQL queries, enabling injection of malicious SQL code to extract sensitive data stored within the device's database. This could expose operational data or sensitive configuration details stored on the nutrunner device.

Potential Impact

For European organizations using Rexroth Nexo cordless nutrunners, particularly in manufacturing or industrial automation environments, this vulnerability poses a risk of unauthorized disclosure of sensitive operational data. While the vulnerability does not allow modification or disruption of device functions, the leakage of database contents could reveal production parameters, process results, or other proprietary information. This could lead to industrial espionage, loss of competitive advantage, or compliance issues related to data protection regulations such as GDPR if personal or sensitive data is involved. The remote and unauthenticated nature of the exploit increases the risk, especially if these devices are accessible from less secure network segments or exposed to the internet. However, the lack of known exploits and the medium severity rating suggest that the immediate risk is moderate but should not be ignored, especially in critical manufacturing environments where Rexroth devices are deployed.

Mitigation Recommendations

Organizations should immediately assess their deployment of Rexroth Nexo cordless nutrunners to identify affected devices running NEXO-OS V1000-Release. Network segmentation should be enforced to isolate these devices from untrusted networks and limit access to trusted personnel and systems only. Monitoring HTTP traffic to these devices for unusual or malformed requests can help detect attempted exploitation. Since no patches are currently available, contacting Rexroth for official firmware updates or mitigation guidance is critical. As a temporary measure, implementing web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to block suspicious SQL injection patterns targeting the device's HTTP interface can reduce risk. Additionally, reviewing and hardening device configuration to disable unnecessary network services or interfaces can minimize exposure. Finally, organizations should incorporate this vulnerability into their vulnerability management and incident response processes to ensure timely detection and remediation once patches are released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
bosch
Date Reserved
2023-11-13T13:44:23.706Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f0a31182aa0cae27f6ece

Added to database: 6/3/2025, 2:44:01 PM

Last enriched: 7/4/2025, 9:41:40 AM

Last updated: 8/15/2025, 4:19:27 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats