CVE-2023-33466
Published: 29 June 2023
Summary
CVE-2023-33466 is a high-severity Code Injection (CWE-94) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Orthanc versions prior to 1.12.0 are affected by a flaw that allows authenticated users possessing Orthanc API access to overwrite arbitrary files on the host file system. In specific deployment scenarios this can extend to overwriting configuration files, which may be abused to achieve remote code execution. The issue is tracked under CVE-2023-33466 with a CVSS 3.1 base score of 8.8.
An attacker with valid API credentials can supply crafted requests that replace targeted files, including Orthanc configuration or related scripts. When the overwritten configuration alters plugin loading, executable paths, or startup behavior, the attacker obtains the ability to execute arbitrary code on the server. The attack requires no user interaction and can be performed over the network.
Public advisories from the Orthanc project and Debian urge immediate upgrade to version 1.12.0 or newer. Debian has published patched packages via DSA-5473 and corresponding LTS updates that resolve the file-write primitive.
The CVE maintains an EPSS score near 0.58 with a recorded peak of 0.59, reflecting sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37629
Vulnerability details
Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code…
more
Execution (RCE).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.