Cyber Resilience

CVE-2023-25356

HighPublic PoC

Published: 04 April 2023

Published
04 April 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1748 95.2th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25356 is a high-severity Argument Injection (CWE-88) vulnerability in Coredial Sipxcom. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CoreDial sipXcom versions up to and including 21.04 are affected by CVE-2023-25356, an improper neutralization of argument delimiters in a command vulnerability (CWE-88). The flaw allows XMPP users to supply crafted input that is passed directly into backend system commands on the server.

An authenticated XMPP user can exploit the weakness over the network to inject arbitrary arguments, resulting in the ability to read or write files on the sipXcom host and to escalate to remote command execution. The vulnerability carries a CVSS 3.1 score of 8.8 reflecting low attack complexity and low required privileges.

Public references consist of March 2023 full-disclosure posts on seclists.org; no vendor patch or mitigation guidance is described in the supplied data. The associated EPSS values are a current score of 0.1748 and a recorded peak of 0.2012.

EU & UK References

Vulnerability details

CoreDial sipXcom up to and including 21.04 is vulnerable to Improper Neutralization of Argument Delimiters in a Command. XMPP users are able to inject arbitrary arguments into a system command, which can be used to read files from, and write…

more

files to, the sipXcom server. This can also be leveraged to gain remote command execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

coredial
sipxcom
≤ 21.04

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References