CVE-2023-0830
Published: 14 February 2023
Summary
CVE-2023-0830 is a medium-severity Command Injection (CWE-77) vulnerability in Easynas Easynas. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical OS command injection vulnerability exists in EasyNAS version 1.1.0 within the system function of the /backup.pl file. The flaw, tracked under CWE-77 and CWE-78, allows manipulation of input to execute arbitrary operating system commands and carries a CVSS 4.0 score of 5.3 reflecting network attack vector, low complexity, and low-privileged access requirements.
An authenticated remote attacker can supply crafted input to the affected backup component and achieve limited control over confidentiality, integrity, and availability on the target system. Public exploit code has been released, enabling straightforward reproduction of the attack without additional user interaction.
The vendor recommends upgrading the affected component to remediate the issue. Public references including Exploit-DB entry 51266 and a GitHub proof-of-concept detail the injection vector, while the EPSS score has remained at 0.5850 since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12832
Vulnerability details
A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed…
more
to the public and may be used. It is recommended to upgrade the affected component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.