OTPulse

Baicells Nova

Plan PatchCVSS 9.8ICS-CERT ICSA-23-061-02Mar 2, 2023
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 base stations contain a command injection vulnerability (CWE-77) in firmware versions QRTB 2.12.7 and earlier. The vulnerability allows pre-login command execution with root permissions on the device. CVSS score is 9.8 (critical). Baicells has released a fix in firmware version QRTB 2.12.8 and later. No public exploits are known, and the vulnerability is not remotely exploitable in the traditional sense—it requires network access to the device's management interface.

What this means
What could happen
An attacker with network access to a Baicells base station could execute arbitrary commands with root privileges before authentication, potentially disrupting cellular service to connected devices or altering the radio access network configuration.
Who's at risk
Wireless service providers and mobile operators deploying Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 base stations for cellular coverage should prioritize this issue. These are small cell/LTE base stations commonly used in enterprise campuses, industrial sites, and rural deployments to extend cellular coverage for critical communications.
How it could be exploited
An attacker must have network access to the management port of the base station. The vulnerability allows command execution during the pre-login phase, meaning the attacker does not need valid credentials to exploit it. Once exploited, the attacker gains root-level command execution on the device.
Prerequisites
  • Network access to the affected base station management interface
  • No authentication credentials required
  • Device running firmware version QRTB 2.12.7 or earlier
No authentication required for exploitationLow complexity attackNo patch available for affected versionsAllows root-level command execution
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Nova 436Q: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8+
Nova 430E: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8+
Nova 430I: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8+
Neutrino 430: <=QRTB_2.12.7≤ QRTB 2.12.7QRTB 2.12.8+
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to base station management interfaces using firewall rules; do not expose management ports to untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 devices to firmware version QRTB 2.12.8 or later
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate the radio access network from business networks and the Internet
HARDENINGIf remote management is required, deploy it only through secure VPN connections with the latest available patches
View full CISA ICS-CERT advisory
API: /api/v1/advisories/96283b7d-a7ce-4ff4-a431-c8054d2c70bc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Baicells Nova | CVSS 9.8 - OTPulse