CVE-2023-5399
Published: 04 October 2023
Summary
CVE-2023-5399 is a critical-severity Path Traversal (CWE-22) vulnerability in Schneider-Electric Spacelogic C-Bus Toolkit. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A path traversal vulnerability tracked as CVE-2023-5399 affects the File Command component of C-Bus software. The flaw, classified as CWE-22, permits improper pathname handling that can be abused to tamper with arbitrary files on the host Windows system running the C-Bus application.
Unauthenticated attackers can exploit the issue remotely over the network without user interaction. Successful exploitation grants full read/write access to the file system, enabling modification or deletion of configuration files, installation of malicious payloads, or disruption of the C-Bus installation, consistent with the CVSS 9.8 rating reflecting complete loss of confidentiality, integrity, and availability.
Schneider Electric’s advisory SEVD-2023-283-01, referenced in the published notice, supplies the official remediation guidance and should be consulted for patch availability and configuration changes. The associated EPSS score has remained steady at 0.2506 since disclosure, indicating sustained but not sharply increasing exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-57714
Vulnerability details
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.