Security Advisory ZPE-NG-2023-002

Security Advisory ZPE-NG-2023-002

Advisory ID: ZPE-NG-2023-002
First Published: October 13, 2023
CVE ID: CVE-2023-44037
CVSSv3 Score: 7.5 (High)‚Äč


Password sent as username when remote authentication is configured with method TACACS+ and TACACS+ minor version is 0.

This only happens if TACACS+ Version is configured as V0, V0_V1, or V1_V0.

Affected Products

Nodegrid OS versions 5.8.10 to 5.8.13, 5.10.3 to 5.10.5.

Nodegrid OS is used in the following products:
  1. Nodegrid Serial Console
  2. Nodegrid Serial Console Plus
  3. Nodegrid Net Services Router
  4. Nodegrid Gate SR
  5. Nodegrid Link SR
  6. Nodegrid Bold SR
  7. Nodegrid Hive SR
  8. Nodegrid Mini SR
  9. Nodegrid Manager
  10. Nodegrid Virtual Services Router


As the password is sent as username, the authentication will fail, and the TACACS+ authentication server logs may have the password in cleartext. This may expose sensitive data.


Configure TACACS+ to use only TACACS+ Version V1.


Upgrade to Nodegrid OS version 5.10.6 or above.

Upgrade to Nodegrid OS version 5.8.14 or above.


2023-10-13: Initial public disclosure
2023-10-20: Updated CVSS score, changed weakness enumeration.


This vulnerability was discovered and reported by Matt Vicari, Meta.