CVE-2023-0830
published 2023-02-14CVE-2023-0830: A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
20.86%
97.2th percentile
A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| easynas | easynas | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://<host>/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+<payload>+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23↗
- →Detect GET requests to /easynas/backup.pl containing pipe-encoded characters (%7c) in the 'name' parameter, indicative of OS command injection attempts. ↗
- →Alert on HTTP requests to /easynas/backup.pl where the 'name' query parameter contains URL-encoded pipe characters (%7c) combined with base64, sudo, or sh keywords. ↗
- →Flag use of the anomalous User-Agent 'Mozilla/5.0 Gecko/20100101 Firefox/72.0' (missing platform token) in requests to EasyNAS endpoints, as used by the public exploit. ↗
- →Monitor for outbound /dev/tcp reverse shell connections spawned from the web server process (e.g., bash child process of a Perl web process making TCP connections). ↗
- →Detect POST requests to /easynas/login.pl followed immediately by a GET to /easynas/backup.pl with injection patterns in the name parameter — this two-step sequence is the exploit's authentication + attack flow. ↗
- ·Authentication is required to exploit this vulnerability; the attacker must supply valid credentials before the injection endpoint is reachable. ↗
- ·The exploit targets EasyNAS 1.1.0 specifically; the NVD advisory recommends upgrading the affected component to remediate. ↗
- ·The exploit disables TLS certificate verification (verify=False), so HTTPS inspection/interception may not catch it via certificate errors alone. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-02-14
Published