Cyber Resilience

CVE-2023-30801

CriticalPublic PoC

Published: 10 October 2023

Published
10 October 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0063 70.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30801 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Qbittorrent Qbittorrent. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 29.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker…

more

can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qbittorrent
qbittorrent
≤ 4.5.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798 CWE-1392

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798 CWE-1392

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798 CWE-1392

Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.

addresses: CWE-798 CWE-1392

Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.

addresses: CWE-798 CWE-1392

Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-1392

Mandates replacement of default credentials during secure configuration and provisioning procedures.

References