OTPulse
FeedAboutContact

Baicells Nova

Act Now9.8ICS-CERT ICSA-23-061-02Mar 2, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 base stations contain a command injection vulnerability (CWE-77) in firmware versions QRTB 2.12.7 and earlier. The vulnerability allows pre-login command execution with root permissions on the device. CVSS score is 9.8 (critical). Baicells has released a fix in firmware version QRTB 2.12.8 and later. No public exploits are known, and the vulnerability is not remotely exploitable in the traditional sense—it requires network access to the device's management interface.

What this means
What could happen
An attacker with network access to a Baicells base station could execute arbitrary commands with root privileges before authentication, potentially disrupting cellular service to connected devices or altering the radio access network configuration.
Who's at risk
Wireless service providers and mobile operators deploying Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 base stations for cellular coverage should prioritize this issue. These are small cell/LTE base stations commonly used in enterprise campuses, industrial sites, and rural deployments to extend cellular coverage for critical communications.
How it could be exploited
An attacker must have network access to the management port of the base station. The vulnerability allows command execution during the pre-login phase, meaning the attacker does not need valid credentials to exploit it. Once exploited, the attacker gains root-level command execution on the device.
Prerequisites
  • Network access to the affected base station management interface
  • No authentication credentials required
  • Device running firmware version QRTB 2.12.7 or earlier
No authentication required for exploitationLow complexity attackNo patch available for affected versionsAllows root-level command execution
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Nova 436Q: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8 or later
Nova 430E: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8 or later
Nova 430I: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8 or later
Neutrino 430: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8 or later
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to base station management interfaces using firewall rules; do not expose management ports to untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 devices to firmware version QRTB 2.12.8 or later
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate the radio access network from business networks and the Internet
HARDENINGIf remote management is required, deploy it only through secure VPN connections with the latest available patches
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/96283b7d-a7ce-4ff4-a431-c8054d2c70bc
Baicells Nova | CVSS 9.8 - OTPulse