cbcvebase.
CVE-2023-28503
published 2023-03-29

CVE-2023-28503: Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from an authentication…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
62.14%
99.1th percentile
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from an authentication bypass vulnerability, where a special username with a deterministic password can be leveraged to bypass authentication checks and execute OS commands as the root user.

Affected

6 ranges
VendorProductVersion rangeFixed in
rocket_softwareunidata< 8.2.43.30038.2.43.3003
rocket_softwareuniverse< 11.3.5.100111.3.5.1001
rocket_softwareuniverse< 12.2.1.200212.2.1.2002
rocketsoftwareunidata<= 8.2.4
rocketsoftwareuniverse<= 11.3.5
rocketsoftwareuniverse12.0.0 – 12.2.1

Detection & IOCsextracted from sources · hover to see the quote

other:local:
other::<username>:<uid>:<any_non_zero_gid>
commandOsCommand
processudadmin_server
  • Monitor for authentication attempts to udadmin_server using the special username ':local:' — this is the bypass credential and should never appear in legitimate traffic.
  • Alert on OsCommand RPC messages originating from unauthenticated or anomalous sessions to udadmin_server, especially those resulting in root-level process spawning.
  • The udadmin_server RPC service typically runs as root; monitor for unexpected child processes (shells, reverse shells) spawned by this process.
  • Flag authentication attempts where the password field matches the pattern '::<string>:<digits>:<non-zero digits>' against the udadmin_server RPC service.
  • ·The authentication bypass only works when gid is non-zero; a gid of 0 (root group) is explicitly rejected by the vulnerable logic, meaning the attacker must supply a non-root gid even while achieving root command execution via OsCommand.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.