CVE-2023-38198
published 2023-07-13CVE-2023-38198: acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.93%
56.3th percentile
acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acme.sh_project | acme.sh | < 3.0.6 | 3.0.6 |
| debian | acme.sh | — | — |
| serverco | getssl | <= 2.49 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag acme.sh versions prior to 3.0.6 as vulnerable; the exploit involves arbitrary command execution via eval() on data received from a remote server ↗
- ·Exploitation was confirmed in the wild in June 2023; any system running acme.sh < 3.0.6 that communicates with a remote ACME server should be treated as potentially compromised ↗
- ·Debian resolved this in forky, sid, and trixie; scope is listed as local, meaning exploitation impact is assessed in a local context by Debian ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-38198: acme.sh - acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as e...
vendor_debian·2023·CVSS 9.8
CVE-2023-38198 [CRITICAL] CVE-2023-38198: acme.sh - acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as e...
acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.
Scope: local
forky: resolved
sid: resolved
trixie: resolved
GHSA
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciou
ghsa_unreviewed·2026-06-16·CVSS 9.8
CVE-2026-10303 [CRITICAL] CWE-73 In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciou
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by sim
GHSA
GHSA-p882-2j97-m4hp: acme
ghsa_unreviewed·2023-07-13
CVE-2023-38198 [CRITICAL] CWE-94 GHSA-p882-2j97-m4hp: acme
acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.
VulnCheck
Acme.sh before 3.0.6 Remote Code Execution
vulncheck·2023·CVSS 9.8
CVE-2023-38198 [CRITICAL] Acme.sh before 3.0.6 Remote Code Execution
Acme.sh before 3.0.6 Remote Code Execution
acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.
Affected: acme.sh_project acme.sh
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2023-38198; https://www.cve.org/CVERecord?id=CVE-2023-38198
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/07/13/1https://github.com/acmesh-official/acme.sh/issues/4659https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Yshttps://news.ycombinator.com/item?id=36252310https://news.ycombinator.com/item?id=36254093https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/http://www.openwall.com/lists/oss-security/2023/07/13/1https://github.com/acmesh-official/acme.sh/issues/4659https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Yshttps://news.ycombinator.com/item?id=36252310https://news.ycombinator.com/item?id=36254093https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/
2023-07-13
Published
Exploited in the wild