SYS::ONLINE
Wasteland.
Briefs1215
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2023-49899 2026-07-16

CVE-2023-49899: Unauthenticated Remote Command Execution in X-Rite MA-T6

"A critical flaw in X-Rite MA-T6 spectrophotometers lets an unauthenticated remote attacker run arbitrary commands because the device fails to verify the origin of a communication channel."

A critical flaw in X-Rite MA-T6 spectrophotometers lets an unauthenticated remote attacker run arbitrary commands because the device fails to verify the origin of a communication channel.

What Is It

CVE-2023-49899 is a critical (CVSS 9.8) vulnerability in the X-Rite MA-T6 device. According to the NVD record, an unauthenticated remote attacker can execute any command on the affected device due to the device not correctly verifying the origin of a communication channel. The weakness is classified as CWE-346 (Origin Validation Error). The CVSS 3.1 vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicates the attack is network-reachable, low-complexity, requires no privileges or user interaction, and fully compromises confidentiality, integrity, and availability.

Why It Matters

With a base score of 9.8, this is among the most severe classes of vulnerability. No authentication and no user interaction are required, and successful exploitation grants full command execution on the affected hardware. That combination makes the flaw attractive to attackers who can reach the device over the network.

What's Vulnerable

The affected product is the X-Rite MA-T6, in all versions prior to v2.33. Per the NVD affected-version data, versions from 0 up to (but not including) v2.33 are affected; other versions are listed as unaffected.

Patch Status

The affected version range ends at v2.33, indicating that v2.33 and later are not affected and upgrading to v2.33 or newer is the remediation path. This CVE is not present in the supplied CISA KEV data, so there is no KEV-confirmed active exploitation or KEV-mandated required action associated with it. The NVD record lists the vulnerability status as "Deferred."

Sources