CVE-2023-30801
published 2023-10-10CVE-2023-30801: All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.4th percentile
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qbittorrent | — | — |
| qbittorrent | qbittorrent | <= 4.5.5 | — |
| qbittorrent | qbittorrent_client | <= 4.5.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication attempts using qBittorrent Web UI default credentials (username: admin, password: adminadmin) against the Web UI login endpoint ↗
- →Monitor for OS command execution triggered via the qBittorrent Web UI 'external program' feature, which can be abused post-authentication to run arbitrary commands ↗
- →Flag in-the-wild exploitation activity targeting qBittorrent Web UI; known active exploitation was observed in March 2023 ↗
- ·Debian packages across multiple releases (bookworm, bullseye, forky, sid, trixie) remain open/unpatched for this CVE ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vchq-5hmx-6hmp: All versions of the qBittorrent client through 4
ghsa_unreviewed·2023-10-10
CVE-2023-30801 [CRITICAL] CWE-1392 GHSA-vchq-5hmx-6hmp: All versions of the qBittorrent client through 4
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
OSV
CVE-2023-30801: All versions of the qBittorrent client through 4
osv·2023-10-10·CVSS 9.8
CVE-2023-30801 [CRITICAL] CVE-2023-30801: All versions of the qBittorrent client through 4
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
VulnCheck
qbittorrent qbittorrent Use of Default Credentials
vulncheck·2023·CVSS 9.8
CVE-2023-30801 [CRITICAL] qbittorrent qbittorrent Use of Default Credentials
qbittorrent qbittorrent Use of Default Credentials
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
Affected: qbittorrent qbittorrent
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://github.com/qbittorrent/qBittorrent/issues/18731; https://ww
Debian
CVE-2023-30801: qbittorrent - All versions of the qBittorrent client through 4.5.5 use default credentials whe...
vendor_debian·2023·CVSS 9.8
CVE-2023-30801 [CRITICAL] CVE-2023-30801: qbittorrent - All versions of the qBittorrent client through 4.5.5 use default credentials whe...
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/qbittorrent/qBittorrent/issues/18731https://lists.fedoraproject.org/archives/list/[email protected]/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/https://lists.fedoraproject.org/archives/list/[email protected]/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/https://vulncheck.com/advisories/qbittorrent-default-credshttps://github.com/qbittorrent/qBittorrent/issues/18731https://lists.fedoraproject.org/archives/list/[email protected]/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/https://lists.fedoraproject.org/archives/list/[email protected]/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/https://vulncheck.com/advisories/qbittorrent-default-creds
2023-10-10
Published
Exploited in the wild