cbcvebase.
CVE-2023-37266
published 2023-07-17

CVE-2023-37266: CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.87%
92.3th percentile
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comicewhaletech_casaos>= 0 < 0.4.40.4.4
icewhalecasaos< 0.4.40.4.4
icewhaletechcasaos< 0.4.40.4.4

Detection & IOCsextracted from sources · hover to see the quote

url/v1/folder?path=%2F
path/CasaOS-UI/public/index.html
path/casaos-ui/public/index.html
other{"iss":"casaos","exp":1790210322,"nbf":1790199522,"iat":1790199522}
  • Detect unauthenticated JWT crafting attempts by monitoring GET requests to /v1/folder?path=%2F with an Authorization header containing a JWT signed with HS256 and issuer claim 'casaos'.
  • Match successful exploitation responses containing both '"success":200' and '"message":"ok"' alongside 'content' and 'is_dir' fields in the JSON body on the /v1/folder endpoint.
  • Fingerprint CasaOS instances via Shodan/FOFA by searching for the string '/CasaOS-UI/public/index.html' or '/casaos-ui/public/index.html' in HTTP response bodies.
  • The fix commit 705bf1f improves JWT validation; instances not yet patched to CasaOS 0.4.4 remain vulnerable. Look for CasaOS versions below 0.4.4.
  • ·The crafted JWT uses a randomly generated HS256 key (no fixed secret). The exploit works because CasaOS < 0.4.4 does not properly validate JWT signatures, accepting any arbitrary token. Detection based solely on JWT content/structure may produce false positives; correlate with the target endpoint and response body.
  • ·The JWT issuer claim is hardcoded as 'casaos' with far-future expiry timestamps; these static values in the jwt_data variable are specific to the PoC/nuclei template and may differ in real-world exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.