Cyber Resilience

CVE-2023-7327

HighPublic PoC

Published: 12 November 2025

Published
12 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1764 95.2th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7327 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability tracked as CVE-2023-7327 and assigned CWE-22. The flaw permits URL-encoded directory traversal sequences in requests to the gateway, enabling an attacker to retrieve arbitrary files from the underlying filesystem using the service account privileges and resulting in exposure of sensitive information. The vulnerability carries a CVSS 4.0 score of 8.7 reflecting network attack vector, low complexity, and no required authentication or user interaction.

An unauthenticated remote attacker can exploit the issue by submitting crafted HTTP requests containing traversal sequences to read configuration files, credentials, or other sensitive data stored on the host. Successful exploitation yields direct disclosure of information without needing prior access or elevated privileges on the target system. The current EPSS score of 0.1764 shows no material increase from its recorded peak.

EU & UK References

Vulnerability details

Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability. Successful exploitation allows an unauthenticated attacker to use URL-encoded traversal sequences to read arbitrary files from the underlying filesystem with the privileges of the gateway service,…

more

leading to disclosure of sensitive information.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Ozeki SMS Gateway
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References