CVE-2023-38693

Critical

Published: 05 March 2025

Published

05 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 43.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38693 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching to fixed Lucee versions (5.4.3.2, 5.3.12.1, etc.) directly eliminates the XXE vulnerability enabling RCE in the REST endpoint.

SI-10 Information Input Validation good match

prevent

Information input validation sanitizes and checks XML payloads to prevent external entity processing that leads to arbitrary code execution.

CM-6 Configuration Settings good match

prevent

Secure configuration settings for the Lucee Server and XML parsers disable external entity resolution, comprehensively blocking XXE attacks on the REST endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

RCE via unauthenticated crafted request to public-facing REST endpoint enables T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2,…

5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.

Deeper analysisAI

CVE-2023-38693 is a remote code execution (RCE) vulnerability affecting the Lucee REST endpoint in Lucee Server, a dynamic, Java-based tag and scripting language used for rapid web application development. The flaw stems from an XML External Entity (XXE) attack vector, classified under CWE-611, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

An unauthenticated attacker with network access can exploit this vulnerability by sending a specially crafted request to the Lucee REST endpoint, triggering the XXE processing and achieving arbitrary code execution on the server. No user interaction or privileges are required, enabling low-complexity remote exploitation that compromises confidentiality, integrity, and availability.

The official advisory on GitHub (GHSA-vwjx-mmwm-pwrf) confirms the issue is fixed in Lucee versions 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173, recommending immediate upgrades for affected installations to mitigate the risk.

Details

CWE(s): CWE-611

CVEs Like This One

CVE-2025-14478Shared CWE-611

CVE-2024-49352Shared CWE-611

CVE-2024-56322Shared CWE-611

CVE-2025-65482Shared CWE-611

CVE-2025-0162Shared CWE-611

CVE-2025-61813Shared CWE-611

CVE-2026-41066Shared CWE-611

CVE-2024-56324Shared CWE-611

CVE-2026-1567Shared CWE-611

CVE-2024-49781Shared CWE-611

References

https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf
security-advisories@github.com