CVE-2023-39001
Published: 09 August 2023
Summary
CVE-2023-39001 is a critical-severity Command Injection (CWE-77) vulnerability in Opnsense Opnsense. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability exists in the diag_backup.php component of OPNsense Community Edition before version 23.7 and Business Edition before 23.4.2. The flaw, tracked as CVE-2023-39001 and assigned CWE-77, permits unauthenticated attackers to supply a crafted backup configuration file that results in arbitrary command execution on the affected system. It carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An attacker can exploit the issue remotely by uploading a maliciously formatted backup file to the diag_backup.php endpoint. Successful exploitation grants full control over the target appliance, including the ability to read, modify, or delete data and execute system-level commands with the privileges of the OPNsense process.
Public references point to a fix committed in the OPNsense core repository that addresses the injection path in diag_backup.php. Administrators are advised to upgrade to Community Edition 23.7 or Business Edition 23.4.2 or later to obtain the patched code.
The associated EPSS score has remained flat at 0.0550 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42758
Vulnerability details
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.