cbcvebase.
CVE-2023-37265
published 2023-07-17

CVE-2023-37265: CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root`…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.36%
92.8th percentile
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

Affected

6 ranges
VendorProductVersion rangeFixed in
github.comicewhaletech_casaos-gateway>= 0 < 0.4.40.4.4
icewhalecasaos< 0.4.40.4.4
icewhalecasaos
icewhalecasaos-gateway< 0.4.40.4.4
icewhalecasaos-gateway
icewhaletechcasaos-gateway< 0.4.40.4.4

Detection & IOCsextracted from sources · hover to see the quote

url/v1/folder?path=%2F
otherX-Forwarded-For: 127.0.0.1
path/CasaOS-UI/public/index.html
path/casaos-ui/public/index.html
  • Unauthenticated GET request to /v1/folder?path=%2F with X-Forwarded-For: 127.0.0.1 header spoofing internal IP; a successful response contains '"success":200', '"message":"ok"', 'content', and 'is_dir' — indicating authentication bypass via IP spoofing.
  • CasaOS instances can be fingerprinted via Shodan/FOFA by searching for the path '/CasaOS-UI/public/index.html' or '/casaos-ui/public/index.html' in HTTP response bodies.
  • The vulnerability exploits missing IP address verification; attackers spoof a loopback/internal IP via X-Forwarded-For to bypass authentication and execute arbitrary commands as root.
  • The extractor retrieves filesystem paths from the API response at .data.content[].path, confirming successful root-level directory traversal post-bypass.
  • ·The authentication bypass only works against CasaOS versions strictly below 0.4.4; the fix was introduced in commit 391dd7f (CasaOS-Gateway) and shipped in 0.4.4.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.