CVE-2023-25356
Published: 04 April 2023
Summary
CVE-2023-25356 is a high-severity Argument Injection (CWE-88) vulnerability in Coredial Sipxcom. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CoreDial sipXcom versions up to and including 21.04 are affected by CVE-2023-25356, an improper neutralization of argument delimiters in a command vulnerability (CWE-88). The flaw allows XMPP users to supply crafted input that is passed directly into backend system commands on the server.
An authenticated XMPP user can exploit the weakness over the network to inject arbitrary arguments, resulting in the ability to read or write files on the sipXcom host and to escalate to remote command execution. The vulnerability carries a CVSS 3.1 score of 8.8 reflecting low attack complexity and low required privileges.
Public references consist of March 2023 full-disclosure posts on seclists.org; no vendor patch or mitigation guidance is described in the supplied data. The associated EPSS values are a current score of 0.1748 and a recorded peak of 0.2012.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29314
Vulnerability details
CoreDial sipXcom up to and including 21.04 is vulnerable to Improper Neutralization of Argument Delimiters in a Command. XMPP users are able to inject arbitrary arguments into a system command, which can be used to read files from, and write…
more
files to, the sipXcom server. This can also be leveraged to gain remote command execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.