cbcvebase.
CVE-2023-23333
published 2023-02-06

CVE-2023-23333: There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.27%
99.9th percentile
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
contecsolarview_compact_firmware<= 6.00

Detection & IOCsextracted from sources · hover to see the quote

path/downloader.php
urlhttp://{ip}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip
commandGET /downloader.php?file=%3B{{cmd}}%00.zip
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Contec SolarView Compact downloader.php Command Injection Attempt (CVE-2023-23333)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloader.php?file|3d 3b|"; fast_pattern; startswith; reference:url,attackerkb.com/topics/kE3lzTZGV2/cve-2023-23333; reference:cve,2023-23333; classtype:attempted-admin; sid:2051668; rev:1; metadata:affected_product CONTEC_SolvarView, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_03_15, cve CVE_2023_23333, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_15, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
bytes
/downloader.php?file|3d 3b|
  • Shodan dork to identify exposed SolarView Compact instances: search for 'http.html:"solarview compact"' or favicon hash '-244067125'
  • FOFA dork to identify exposed SolarView Compact instances
  • The exploit payload uses a null-byte (%00) followed by '.zip' to bypass file extension restrictions in the 'file' parameter of downloader.php
  • The exploit injects a semicolon (;) as the first character of the 'file' parameter to break out of the intended command context — look for URL-encoded %3B or literal ';' at the start of the file parameter value
  • After successful exploitation, the webserver process runs as user 'contec' — look for unexpected process spawning under this user
  • Exploit PoC checks for 'root' string in HTTP response body to confirm /etc/passwd read via command injection
  • The Nuclei template matches a reversed CVE string '33332-3202-EVC' in the response body as a blind command injection confirmation
  • Traffic is plaintext HTTP (not TLS); detection should be applied at the perimeter on unencrypted HTTP traffic
  • ·The vulnerability affects SolarView Compact through version 6.00 only; the product is only available/deployed in Japan
  • ·The exploit requires no authentication (unauthenticated RCE), so no credential-based detection is applicable
  • ·EPSS score of 0.94216 (99.924th percentile) indicates very high likelihood of exploitation in the wild; prioritize detection and patching accordingly

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.