CVE-2023-34356
The TALOS-2023-1778 advisory confirms a real OS command injection in Peplink Surf SOHO HW1 v6.3.5 (QEMU). The vulnerability exists in the data.cgi endpoint handling DNS transfer (the /cgi-bin/MANGA/data.cgi dispatcher). An authenticated user can craft a POST with option=xfer_dns and step=view_dom...