cbcvebase.
CVE-2023-30801
published 2023-10-10

CVE-2023-30801: All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.4th percentile
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianqbittorrent
qbittorrentqbittorrent<= 4.5.5
qbittorrentqbittorrent_client<= 4.5.5

Detection & IOCsextracted from sources · hover to see the quote

  • Detect authentication attempts using qBittorrent Web UI default credentials (username: admin, password: adminadmin) against the Web UI login endpoint
  • Monitor for OS command execution triggered via the qBittorrent Web UI 'external program' feature, which can be abused post-authentication to run arbitrary commands
  • Flag in-the-wild exploitation activity targeting qBittorrent Web UI; known active exploitation was observed in March 2023
  • ·Debian packages across multiple releases (bookworm, bullseye, forky, sid, trixie) remain open/unpatched for this CVE

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.