Cyber Resilience

CVE-2023-25826

CriticalPublic PoCRCE

Published: 03 May 2023

Published
03 May 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8487 99.4th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25826 is a critical-severity OS Command Injection (CWE-78) vulnerability in Opentsdb Opentsdb. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-25826 affects OpenTSDB and stems from insufficient input validation in the legacy HTTP query API. Attackers can supply crafted parameters that bypass an ineffective regex check and inject operating-system commands, resulting in arbitrary code execution on the host. The flaw is an incomplete remediation of the earlier CVE-2020-35476 issue, leaving the same attack surface exposed in current releases.

Unauthenticated remote attackers reachable over the network can exploit the vulnerability without user interaction. Successful exploitation yields full control of the OpenTSDB process and underlying operating system, enabling confidentiality, integrity, and availability impacts consistent with the CVSS 9.8 rating.

A pull request (OpenTSDB #2275) supplies updated validation logic intended to close the command-injection path. Public exploit code and technical write-ups are already circulating, and the EPSS score remains elevated near its recorded peak of 0.87, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete…

more

fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

opentsdb
opentsdb
1.0.0 — 2.4.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References