cbcvebase.
CVE-2023-24055
published 2023-01-22

CVE-2023-24055: KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by…

PriorityP278medium5.5CVSS 3.1
AVLACLPRNUIRSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.66%
88.2th percentile
KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.

Affected

1 ranges
VendorProductVersion rangeFixed in
keepasskeepass<= 2.53

Detection & IOCsextracted from sources · hover to see the quote

domainchatgigi2[.]com
domainarrowlchat[.]com
domainstatic-cdn-349[.]net
processgup.exe
processfirefox.exe
processErrorReportClient.exe
commandSELECT Manufacturer, Model FROM Win32_ComputerSystem
  • ViperSoftX blocks web browser user-agents from accessing its C&C; defenders can detect C2 traffic by looking for non-browser user-agent strings reaching these domains, as the C&C returns encoded data only to modified user-agents.
  • CVE-2023-24055 exploitation involves adding an export trigger to the KeePass XML configuration file to dump cleartext passwords; monitor for unexpected modifications to KeePass XML config files, especially addition of trigger/export entries.
  • ViperSoftX scans for KeePass 2 and 1Password installations as part of its password-manager targeting; detect PowerShell scripts enumerating paths associated with these password managers.
  • ·The vendor (KeePass) disputes the severity of CVE-2023-24055, stating the threat model does not cover attackers with local write access to the PC; the export trigger attack requires pre-existing write access to the KeePass XML configuration file.
  • ·Trend Micro's investigation found that while ViperSoftX scans for KeePass, observed detections related to CVE-2023-24055 exploitation were low in number and did not appear linked to ViperSoftX victims specifically.
  • ·The CVE-2023-24055 export trigger feature has been disabled in recent KeePass patches and versions; detections targeting unpatched KeePass 2 installations (through 2.53) are the relevant scope.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.