Cyber Resilience

CVE-2023-39008

CriticalPublic PoCRCE

Published: 09 August 2023

Published
09 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0518 90.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39008 is a critical-severity Command Injection (CWE-77) vulnerability in Opnsense Opnsense. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A command injection vulnerability tracked as CVE-2023-39008 affects the /api/cron/settings/setJob/ component in OPNsense Community Edition prior to version 23.7 and Business Edition prior to 23.4.2. The flaw, assigned CWE-77 and carrying a CVSS 3.1 score of 9.8, permits unauthenticated remote attackers to supply crafted input that results in execution of arbitrary system commands on the underlying host.

Because the affected endpoint is reachable over the network with no authentication or user interaction required, an attacker can leverage the injection to run commands with the privileges of the OPNsense web-service process, potentially leading to full system compromise including configuration changes, data exfiltration, or persistence.

Public references point to a corrective commit in the OPNsense core repository that addresses the input-handling issue in the cron job settings endpoint; operators are advised to upgrade to the fixed releases. The associated EPSS score remains at 0.0518 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

opnsense
opnsense
≤ 23.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References