Cyber Resilience

CVE-2023-28354

CriticalRCE

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1918 95.5th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28354 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-28354 is a command injection vulnerability in Opsview Monitor Agent 6.8. It arises because the agent allows unauthenticated remote callers to invoke check_nrpe against default-configured NRPE plugins that accept and forward command-control characters to underlying command-line interpreters, enabling escape from the plugin sandbox. The flaw is tracked as CWE-94 and carries a CVSS 3.1 score of 9.8.

An unauthenticated network attacker can supply crafted arguments to known NRPE plugins and thereby execute arbitrary commands on the target host under the NT_AUTHORITY\SYSTEM account. No authentication or user interaction is required, and the attack surface is exposed whenever the agent listens for NRPE connections.

The single reference is a public GitHub repository containing exploit details; it does not include official patch or mitigation statements from the vendor. The associated EPSS score is 0.1918 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

An issue was discovered in Opsview Monitor Agent 6.8. An unauthenticated remote attacker can call check_nrpe against affected targets, specifying known NRPE plugins, which in default installations are configured to accept command control characters and pass them to command-line interpreters…

more

for NRPE plugin execution. This allows the attacker to escape NRPE plugin execution and execute commands remotely on the target as NT_AUTHORITY\SYSTEM.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

Direct unauthenticated RCE via NRPE plugin command injection on public-facing agent, enabling remote arbitrary command execution as SYSTEM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection in NRPE plugin execution by validating inputs to block control characters passed to command-line interpreters.

prevent

Remediates the specific flaw in Opsview Monitor Agent 6.8 by applying vendor patches or workarounds to eliminate the vulnerability.

prevent

Blocks unauthenticated remote access to the check_nrpe service by enforcing boundary protections around the affected NRPE port.

References