Cyber Resilience

CVE-2023-54331

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 9.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2023-54331 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Getoutline Outline. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SA-6 (Software Usage Restrictions).

Deeper analysis

CVE-2023-54331 is an unquoted service path vulnerability affecting Outline version 1.6.0. The issue resides in the OutlineService executable, where the service path is not properly quoted, enabling local privilege escalation. This flaw, classified under CWE-428, has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential upon successful exploitation.

Local attackers with low-privilege (PR:L) access on a vulnerable system can exploit the unquoted path by placing a malicious executable in a directory that precedes the legitimate OutlineService binary in the system's search path. When the OutlineService is started or restarted, the system executes the attacker's malicious code instead, granting LocalSystem-level privileges. This allows full control over the system, including arbitrary code execution with elevated permissions.

Advisories and references provide further details on the vulnerability. The Vulncheck advisory at https://www.vulncheck.com/advisories/outline-unquoted-service-path outlines the issue, while an exploit is publicly available at https://www.exploit-db.com/exploits/51128. The official Outline site at https://getoutline.org/ serves as a resource for the affected software. No specific patch details are detailed in the provided information.

A proof-of-concept exploit exists on Exploit-DB, demonstrating practical exploitability, though no evidence of widespread real-world exploitation is noted in the available data.

EU & UK References

Vulnerability details

Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed…

more

with LocalSystem permissions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path in OutlineService directly matches Path Interception by Unquoted Path, enabling local privilege escalation to LocalSystem via malicious executable placement.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33640Same product: Getoutline Outline
CVE-2026-41649Same product: Getoutline Outline
CVE-2025-64487Same product: Getoutline Outline
CVE-2026-24901Same product: Getoutline Outline
CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-36929Shared CWE-428

Affected Assets

getoutline
outline
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces secure configuration settings, including properly quoted paths for Windows services, directly preventing exploitation of unquoted service path vulnerabilities.

prevent

Requires timely identification, reporting, and remediation of flaws like unquoted service paths through patching or configuration fixes.

prevent

Implements deny-by-exception software execution policies via whitelisting to block unauthorized malicious executables from running despite unquoted service paths.

References