qBittorrent Web UI Default Credentials Lead to RCE
CVE-2023-30801

9.8CRITICAL

Key Information:

Vendor

Qbittorrent

Status
Qbittorrent Client
Vendor
CVE Published:
10 October 2023

What is CVE-2023-30801?

The qBittorrent client versions up to 4.5.5 have a significant security flaw due to the usage of default credentials when the web user interface is enabled. The software does not enforce a mandatory change to these default credentials, allowing remote attackers to exploit the vulnerability. By leveraging default credentials, an attacker can authenticate to the web interface and execute arbitrary operating system commands through the 'external program' feature. This vulnerability has been targeted in attacks as early as March 2023, underscoring the urgency for users to secure their installations against unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

qBittorrent client Windows 0 <= 4.5.5

References

https://github.com/qbittorrent/qBittorrent/issues/18731
issue-tracking
https://vulncheck.com/advisories/qbittorrent-default-creds
third-party-advisory
https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.