Cyber Resilience

CVE-2023-33466

HighRCE

Published: 29 June 2023

Published
29 June 2023
Modified
26 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5775 98.2th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33466 is a high-severity Code Injection (CWE-94) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Orthanc versions prior to 1.12.0 are affected by a flaw that allows authenticated users possessing Orthanc API access to overwrite arbitrary files on the host file system. In specific deployment scenarios this can extend to overwriting configuration files, which may be abused to achieve remote code execution. The issue is tracked under CVE-2023-33466 with a CVSS 3.1 base score of 8.8.

An attacker with valid API credentials can supply crafted requests that replace targeted files, including Orthanc configuration or related scripts. When the overwritten configuration alters plugin loading, executable paths, or startup behavior, the attacker obtains the ability to execute arbitrary code on the server. The attack requires no user interaction and can be performed over the network.

Public advisories from the Orthanc project and Debian urge immediate upgrade to version 1.12.0 or newer. Debian has published patched packages via DSA-5473 and corresponding LTS updates that resolve the file-write primitive.

The CVE maintains an EPSS score near 0.58 with a recorded peak of 0.59, reflecting sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code…

more

Execution (RCE).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

orthanc-server
orthanc
≤ 1.12.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References