CVE-2023-0777
Published: 10 February 2023
Summary
CVE-2023-0777 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Modoboa Modoboa. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-0777 is an authentication bypass vulnerability caused by a primary weakness, affecting the Modoboa mail hosting and management platform in the modoboa/modoboa GitHub repository prior to version 2.0.4. The flaw carries a CVSS 3.1 base score of 9.8 and is associated with CWE-305, indicating that remote attackers can circumvent authentication controls without requiring credentials or user interaction.
Unauthenticated attackers with network access can exploit the weakness to achieve administrative takeover of a Modoboa instance, resulting in full compromise of confidentiality, integrity, and availability of the affected system. Public references, including a PacketStorm entry titled modoboa-2.0.4-Admin-Takeover, document the practical impact of this bypass.
The referenced GitHub commit 47d17ac6643f870719691073956a26e4be0a4806 and the associated huntr.dev bounty entry indicate that the issue was resolved by updating to Modoboa 2.0.4 or later. The EPSS score has reached a current value of 0.7502 with a recorded peak of 0.7615, reflecting sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0168
Vulnerability details
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.