CVE-2023-25826
Published: 03 May 2023
Summary
CVE-2023-25826 is a critical-severity OS Command Injection (CWE-78) vulnerability in Opentsdb Opentsdb. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-25826 affects OpenTSDB and stems from insufficient input validation in the legacy HTTP query API. Attackers can supply crafted parameters that bypass an ineffective regex check and inject operating-system commands, resulting in arbitrary code execution on the host. The flaw is an incomplete remediation of the earlier CVE-2020-35476 issue, leaving the same attack surface exposed in current releases.
Unauthenticated remote attackers reachable over the network can exploit the vulnerability without user interaction. Successful exploitation yields full control of the OpenTSDB process and underlying operating system, enabling confidentiality, integrity, and availability impacts consistent with the CVSS 9.8 rating.
A pull request (OpenTSDB #2275) supplies updated validation logic intended to close the command-injection path. Public exploit code and technical write-ups are already circulating, and the EPSS score remains elevated near its recorded peak of 0.87, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1552
Vulnerability details
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete…
more
fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.