cbcvebase.
CVE-2023-2648
published 2023-05-11

CVE-2023-2648: A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
28.48%
97.9th percentile
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

1 ranges
VendorProductVersion rangeFixed in
weavere-office

Detection & IOCsextracted from sources · hover to see the quote

path/inc/jquery/uploadify/uploadify.php
urlPOST /inc/jquery/uploadify/uploadify.php HTTP/1.1
filename{{file}}.php.
  • The exploit uploads a PHP webshell via a multipart POST to /inc/jquery/uploadify/uploadify.php using the 'Filedata' parameter. The filename uses a trailing dot bypass (e.g., 'file.php.') to circumvent extension filtering.
  • After upload, the dropped PHP file is accessed via a second POST request to /attachment/{extracted_id}/{file}.php to confirm remote code execution. Monitor for HTTP 200 responses to dynamically named PHP files under /attachment/.
  • The exploit uses a numeric directory name (extracted via regex '([0-9]+)' from the upload response body) as the path component under /attachment/ where the webshell is stored.
  • FOFA fingerprinting queries for the target application are 'app="泛微-EOffice"' and 'app="泛微-eoffice"', useful for identifying exposed instances.
  • Successful exploitation is confirmed by the presence of the MD5 hash of the string 'CVE-2023-2648' in the HTTP response body of the second request, alongside a 200 status code.
  • ·The upload endpoint /inc/jquery/uploadify/uploadify.php is unauthenticated and requires no prior login, making this a zero-interaction pre-auth RCE (CVSS 9.8, PR:N, UI:N).
  • ·The Nuclei template is marked 'intrusive' and 'verified', meaning it actively uploads a file to the target. Use only in authorized testing environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.