cbcvebase.
CVE-2023-38126
published 2023-12-19

CVE-2023-38126: Softing edgeAggregator Restore Configuration Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…

PriorityP270high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
68.61%
99.3th percentile
Softing edgeAggregator Restore Configuration Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing edgeAggregator. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of backup zip files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this to execute code in the context of root. Was ZDI-CAN-20543.

Affected

2 ranges
VendorProductVersion rangeFixed in
softingedgeaggregator
softingedgeaggregator

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via processing of backup zip files — monitor for zip file uploads to the edgeAggregator restore/configuration endpoint, especially those containing absolute or traversal paths within the archive entries
  • Classify as absolute path traversal (CWE-22); detect file write operations outside expected directories initiated by the edgeAggregator process, particularly running as root
  • Exploitation requires authenticated (admin-level) HTTP access; alert on admin-authenticated POST requests carrying zip/archive payloads to the restore configuration API of Softing edgeAggregator
  • Successful exploitation results in code execution as root; monitor for unexpected child processes or file modifications in sensitive OS paths spawned by the edgeAggregator service
  • ·CISA advisory notes these vulnerabilities are not exploitable remotely in their advisory context, despite NVD classifying the attack vector as Network (AV:N) — validate network reachability assumptions in your environment before tuning alert thresholds

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.