CVE-2023-26759
Published: 27 February 2023
Summary
CVE-2023-26759 is a high-severity OS Command Injection (CWE-78) vulnerability in Smeup Erp. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Sme.UP ERP TOKYO V6R1M220406 contains an OS command injection vulnerability, tracked as CVE-2023-26759 and assigned CWE-78, that is reachable through the XMService component. The flaw received a CVSS 3.1 score of 8.8, reflecting network attack vectors, low attack complexity, and low-privileged authentication requirements that can result in complete loss of confidentiality, integrity, and availability on the affected ERP installation.
An authenticated attacker with network access can supply crafted input to XMService calls and execute arbitrary operating-system commands on the underlying host. Successful exploitation grants the attacker the ability to read, modify, or delete data and potentially take full control of the ERP server without requiring user interaction.
Public advisories published by Swascan at https://www.swascan.com/it/security-advisory-sme-up-erp/ describe the issue and are the primary source for mitigation guidance. The associated EPSS score has remained flat at 0.1187 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30552
Vulnerability details
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an OS command injection vulnerability via calls made to the XMService component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.