A vulnerability classified as critical has been found in KylinSoft kylin-system-updater up to 2.0.5.16-0k2.33. Affected is an unknown function of the file /usr/share/kylin-system-updater/SystemUpdater/UpgradeStrategiesDbus.py of the component com.kylin.systemupgrade Service. The manipulation of the argument SetDownloadspeedMax leads to os command injection.

This vulnerability is traded as CVE-2023-7093. The attack needs to be approached locally. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure but did not respond in any way.