Cyber Resilience

CVE-2023-0777

CriticalPublic PoC

Published: 10 February 2023

Published
10 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7502 98.9th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0777 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Modoboa Modoboa. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-0777 is an authentication bypass vulnerability caused by a primary weakness, affecting the Modoboa mail hosting and management platform in the modoboa/modoboa GitHub repository prior to version 2.0.4. The flaw carries a CVSS 3.1 base score of 9.8 and is associated with CWE-305, indicating that remote attackers can circumvent authentication controls without requiring credentials or user interaction.

Unauthenticated attackers with network access can exploit the weakness to achieve administrative takeover of a Modoboa instance, resulting in full compromise of confidentiality, integrity, and availability of the affected system. Public references, including a PacketStorm entry titled modoboa-2.0.4-Admin-Takeover, document the practical impact of this bypass.

The referenced GitHub commit 47d17ac6643f870719691073956a26e4be0a4806 and the associated huntr.dev bounty entry indicate that the issue was resolved by updating to Modoboa 2.0.4 or later. The EPSS score has reached a current value of 0.7502 with a recorded peak of 0.7615, reflecting sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

modoboa
modoboa
≤ 2.0.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References