CVE-2023-39008
Published: 09 August 2023
Summary
CVE-2023-39008 is a critical-severity Command Injection (CWE-77) vulnerability in Opnsense Opnsense. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability tracked as CVE-2023-39008 affects the /api/cron/settings/setJob/ component in OPNsense Community Edition prior to version 23.7 and Business Edition prior to 23.4.2. The flaw, assigned CWE-77 and carrying a CVSS 3.1 score of 9.8, permits unauthenticated remote attackers to supply crafted input that results in execution of arbitrary system commands on the underlying host.
Because the affected endpoint is reachable over the network with no authentication or user interaction required, an attacker can leverage the injection to run commands with the privileges of the OPNsense web-service process, potentially leading to full system compromise including configuration changes, data exfiltration, or persistence.
Public references point to a corrective commit in the OPNsense core repository that addresses the input-handling issue in the cron job settings endpoint; operators are advised to upgrade to the fixed releases. The associated EPSS score remains at 0.0518 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42765
Vulnerability details
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.