What is FXC AE1021/AE1021PE?
FXC is a Japanese company that manufactures network equipment including wireless access points for hospitality, commercial, and enterprise environments. The AE1021 and AE1021PE are wall-outlet-type wireless access points — designed to be installed directly in wall outlets in hotel rooms, offices, and similar environments. These devices provide per-room or per-zone wireless networking, often deployed at scale across hospitality properties. Like other embedded Linux network devices, they run a web-based management interface and are typically managed by property IT staff with varying levels of security awareness. The concentrated deployment in hospitality environments (where guest network access is common) makes these devices both accessible and a useful target for botnet recruitment.
Overview
CVE-2023-49897 is an OS command injection vulnerability in FXC AE1021 and AE1021PE wireless access points that allows an authenticated attacker with network access to execute arbitrary OS commands via the management interface. The vulnerability was discovered being exploited as a zero-day by the InfectedSlurs Mirai botnet — the same campaign that simultaneously targeted QNAP VioStor NVRs via CVE-2023-47565. Akamai's SIRT published its InfectedSlurs research on November 21, 2023; FXC responded with patches on December 6; and CISA added both CVEs to KEV on December 21.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| FXC AE1021 | Firmware 2.0.10 and earlier | 2.0.11 |
| FXC AE1021PE | Firmware 2.0.10 and earlier | 2.0.11 |
Technical Details
CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The FXC AE1021/AE1021PE management web interface processes configuration requests from authenticated users. A vulnerability in the handling of certain configuration parameters allows injection of OS command metacharacters that are passed unsanitized to the underlying Linux shell. An authenticated low-privilege user (PR:L) can send a crafted HTTP request to the management interface with an injected command payload that executes on the device's embedded Linux OS.
Successful exploitation provides root-level OS command execution on the access point, enabling the attacker to:
- Deploy persistent Mirai botnet agent in flash storage
- Disable the device's management interface or networking
- Use the device as a DDoS packet source or network relay
- Access credentials and configuration data stored on the device
The full network attack vector (AV:N) distinguishes this from CVE-2023-47565 (which requires adjacent-network access) — FXC AE1021 management interfaces may be reachable over broader network segments depending on deployment configuration.
Discovery
Discovered by Akamai Security Intelligence and Response Team (SIRT) during analysis of InfectedSlurs botnet activity in November 2023. Akamai observed active zero-day exploitation before FXC had a patch, coordinated responsible disclosure with FXC, and triggered the December 2023 patch release.
Exploitation Context
The InfectedSlurs botnet campaign specifically targeted embedded Linux network devices (NVRs and wireless access points) using multiple zero-day exploits simultaneously — an unusual level of sophistication for a DDoS-focused Mirai variant. The simultaneous targeting of QNAP VioStor (CVE-2023-47565) and FXC AE1021/AE1021PE (CVE-2023-49897) with zero-days in November 2023 suggests a threat actor that either develops or acquires zero-day exploits for IoT devices as a matter of course for botnet operations.
The hospitality sector deployment context of FXC access points means that compromised devices may be in physical locations (hotel rooms, office buildings) that provide the botnet operator with widely geographically distributed DDoS traffic sources — useful for bypassing geographic IP blocking defenses.
Remediation
- Update FXC AE1021 and AE1021PE firmware to version 2.0.11 or later via the management interface's firmware update function.
- If the device cannot be immediately updated: restrict management interface access to trusted management networks only — change default or weak admin credentials as an interim measure.
- For hospitality deployments: include AE1021/AE1021PE firmware updates in the regular IT maintenance cadence — wireless AP firmware is often excluded from routine update processes.
- Review active network connections from deployed APs for unexpected outbound traffic to external IPs (botnet C2 communication).
- If devices show signs of compromise (unexpected traffic, unresponsive management interface): factory reset, apply firmware update, and reconfigure from known-good configuration backup.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-49897 |
| Vendor / Product | FXC — AE1021, AE1021PE |
| NVD Published | 2023-12-06 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2023-12-21 |
| CISA KEV Deadline | 2024-01-11 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-11-21 | Akamai publishes InfectedSlurs research — Mirai botnet exploiting CVE-2023-49897 and CVE-2023-47565 as zero-days before vendor patches |
| 2023-12-06 | FXC publishes security advisory and releases firmware update for AE1021 and AE1021PE |
| 2023-12-21 | CISA adds CVE-2023-49897 to Known Exploited Vulnerabilities catalog alongside CVE-2023-47565 |
| 2024-01-11 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| FXC Security Advisory — AE1021/AE1021PE CVE-2023-49897 | Vendor Advisory |
| NVD — CVE-2023-49897 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |