Cyber Resilience

CVE-2023-54344

CriticalPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2023-54344 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Deeper analysis

Eclipse Equinox OSGi versions 3.7.2 and earlier contain a remote code execution vulnerability in the console interface. This flaw, tracked as CVE-2023-54344 and published on 2026-05-05, allows attackers to execute arbitrary commands by sending specially crafted payloads. It is associated with CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability by connecting to the exposed OSGi console port and transmitting base64-encoded bash commands wrapped in fork directives. Successful exploitation enables arbitrary code execution on the target system, including the establishment of reverse shell connections for persistent access and further compromise.

Advisories and related resources, including a Vulncheck advisory on the Eclipse Equinox OSGi remote code execution and an Exploit-DB entry (exploit 51879), provide details on the issue, with the latter publishing a proof-of-concept exploit. No specific patch or mitigation details are outlined in the core CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands…

more

wrapped in fork directives to achieve code execution and establish reverse shell connections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated RCE on exposed OSGi console enables public-facing app exploitation (T1190) and arbitrary Unix shell command execution including reverse shells (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-54342Shared CWE-306
CVE-2025-52089Shared CWE-306
CVE-2026-39987Shared CWE-306
CVE-2026-35546Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific flaw in Eclipse Equinox OSGi 3.7.2 and earlier, eliminating the unauthenticated remote code execution vulnerability in the console interface.

prevent

Restricts system functionality by prohibiting or disabling the unnecessary OSGi console port, preventing exposure to unauthenticated remote command execution.

prevent

Enforces boundary protection to monitor and control network communications, blocking unauthorized access to the exposed OSGi console port.

References