cbcvebase.
CVE-2023-38198
published 2023-07-13

CVE-2023-38198: acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.93%
56.3th percentile
acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.

Affected

3 ranges
VendorProductVersion rangeFixed in
acme.sh_projectacme.sh< 3.0.63.0.6
debianacme.sh
servercogetssl<= 2.49

Detection & IOCsextracted from sources · hover to see the quote

  • Flag acme.sh versions prior to 3.0.6 as vulnerable; the exploit involves arbitrary command execution via eval() on data received from a remote server
  • ·Exploitation was confirmed in the wild in June 2023; any system running acme.sh < 3.0.6 that communicates with a remote ACME server should be treated as potentially compromised
  • ·Debian resolved this in forky, sid, and trixie; scope is listed as local, meaning exploitation impact is assessed in a local context by Debian

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.