Cyber Resilience

CVE-2023-23333

CriticalPublic PoCRCE

Published: 06 February 2023

Published
06 February 2023
Modified
26 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9422 99.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-23333 is a critical-severity Command Injection (CWE-77) vulnerability in Contec Solarview Compact Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-23333 is a command injection vulnerability, tracked under CWE-77, that affects SolarView Compact through version 6.00. The flaw resides in downloader.php and permits attackers to bypass internal restrictions and inject operating system commands.

Unauthenticated remote attackers can exploit the issue over the network without user interaction. Successful exploitation yields arbitrary command execution and full control over the affected system, consistent with the CVSS 9.8 rating reflecting critical impact to confidentiality, integrity, and availability.

Public references include exploit code published on PacketStorm and a GitHub repository that demonstrate remote command execution against the vulnerable component. No official vendor advisory or patch information is provided in the available references.

The EPSS score stands at 0.9422 with a recorded peak of 0.9628, reflecting persistently high exploitation probability.

EU & UK References

Vulnerability details

There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

contec
solarview compact firmware
≤ 6.00

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References