A critical (CVSS 9.8) command-injection flaw lets an unauthenticated remote attacker run arbitrary code on X-Rite MA-T6 devices through the SetParameter command.
What Is It
CVE-2023-49900 is a remote code execution vulnerability caused by incorrectly sanitized user input in the SetParameter command. Because the affected command does not properly validate input, an unauthenticated remote attacker can inject and execute arbitrary code. The weakness is classified as CWE-78 (OS Command Injection).
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In practical terms, it is remotely reachable over the network, requires low attack complexity, needs no privileges, and requires no user interaction; while delivering high impact to confidentiality, integrity, and availability. That combination makes it fully exploitable by an unauthenticated attacker who can reach the device, with complete compromise as the outcome.
What's Vulnerable
The affected product is the X-Rite MA-T6 (vendor: X-Rite). All versions prior to v2.33 are affected; v2.33 and later are listed as unaffected.
Patch Status
Per the NVD record, versions below v2.33 are affected and v2.33 is the first unaffected version, indicating that upgrading to v2.33 or later remediates the issue. The CVE was published on 2026-07-16 and its current NVD status is "Deferred." No CISA KEV entry was supplied, so there is no confirmation of active exploitation in the provided source material.