Cyber Resilience

CVE-2023-50090

Critical

Published: 03 January 2024

Published
03 January 2024
Modified
03 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-50090 is a critical-severity an unspecified weakness vulnerability in Ureport2 Project Ureport2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 27.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Arbitrary File Write vulnerability in the saveReportFile method of ureport2 2.2.9 and before allows attackers to write arbitrary files and run arbitrary commands via crafted POST request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1608.001 Upload Malware Resource Development
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
Why these techniques?

The arbitrary file write vulnerability in the public-facing ureport2 web application (exploitable remotely via crafted POST request) enables T1190 (exploit public-facing application), facilitates writing web shells for execution (T1100) and persistence (T1505.003), and allows staging malware on the victim (T1608.001), ultimately leading to arbitrary command execution.

Affected Assets

ureport2 project
ureport2
≤ 2.2.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References