Cyber Resilience

CVE-2023-5399

Critical

Published: 04 October 2023

Published
04 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2506 96.3th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5399 is a critical-severity Path Traversal (CWE-22) vulnerability in Schneider-Electric Spacelogic C-Bus Toolkit. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A path traversal vulnerability tracked as CVE-2023-5399 affects the File Command component of C-Bus software. The flaw, classified as CWE-22, permits improper pathname handling that can be abused to tamper with arbitrary files on the host Windows system running the C-Bus application.

Unauthenticated attackers can exploit the issue remotely over the network without user interaction. Successful exploitation grants full read/write access to the file system, enabling modification or deletion of configuration files, installation of malicious payloads, or disruption of the C-Bus installation, consistent with the CVSS 9.8 rating reflecting complete loss of confidentiality, integrity, and availability.

Schneider Electric’s advisory SEVD-2023-283-01, referenced in the published notice, supplies the official remediation guidance and should be consulted for patch availability and configuration changes. The associated EPSS score has remained steady at 0.2506 since disclosure, indicating sustained but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

schneider-electric
spacelogic c-bus toolkit
≤ 1.16.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References