Command Injection Vulnerability in OPNsense Community and Business Edition
CVE-2023-39001

9.8CRITICAL

Key Information:

Vendor: Opnsense
Status: Opnsense
Vendor: CVE Published:; 9 August 2023

What is CVE-2023-39001?

A command injection vulnerability exists in the diag_backup.php component of OPNsense, which affects both the Community and Business Editions. This flaw allows attackers to craft malicious backup configuration files that, when processed, enable the execution of arbitrary commands on the server. Versions prior to 23.7 for Community Edition and 23.4.2 for Business Edition are impacted, necessitating prompt review and remediation to safeguard against potential exploits.

References

https://github.com/opnsense/core/commit/e800097d0c287bb66...

https://logicaltrust.net/blog/2023/08/opnsense.html

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 9, 2023
Vulnerability Reserved
Jul 25, 2023

CVE-2023-39001 Data

JSON

Opnsense

What is CVE-2023-39001?

References

EPSS Score

CVSS V3.1

Timeline