CVE-2023-28354
Published: 09 January 2025
Summary
CVE-2023-28354 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-28354 is a command injection vulnerability in Opsview Monitor Agent 6.8. It arises because the agent allows unauthenticated remote callers to invoke check_nrpe against default-configured NRPE plugins that accept and forward command-control characters to underlying command-line interpreters, enabling escape from the plugin sandbox. The flaw is tracked as CWE-94 and carries a CVSS 3.1 score of 9.8.
An unauthenticated network attacker can supply crafted arguments to known NRPE plugins and thereby execute arbitrary commands on the target host under the NT_AUTHORITY\SYSTEM account. No authentication or user interaction is required, and the attack surface is exposed whenever the agent listens for NRPE connections.
The single reference is a public GitHub repository containing exploit details; it does not include official patch or mitigation statements from the vendor. The associated EPSS score is 0.1918 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32052
Vulnerability details
An issue was discovered in Opsview Monitor Agent 6.8. An unauthenticated remote attacker can call check_nrpe against affected targets, specifying known NRPE plugins, which in default installations are configured to accept command control characters and pass them to command-line interpreters…
more
for NRPE plugin execution. This allows the attacker to escape NRPE plugin execution and execute commands remotely on the target as NT_AUTHORITY\SYSTEM.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via NRPE plugin command injection on public-facing agent, enabling remote arbitrary command execution as SYSTEM.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection in NRPE plugin execution by validating inputs to block control characters passed to command-line interpreters.
Remediates the specific flaw in Opsview Monitor Agent 6.8 by applying vendor patches or workarounds to eliminate the vulnerability.
Blocks unauthenticated remote access to the check_nrpe service by enforcing boundary protections around the affected NRPE port.