CVE-2023-38646
published 2023-07-21CVE-2023-38646: Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.92%
99.9th percentile
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metabase | metabase | < 0.43.7.2 | 0.43.7.2 |
| metabase | metabase | < 1.43.7.2 | 1.43.7.2 |
| metabase | metabase | >= 0.44.0 < 0.44.7.1 | 0.44.7.1 |
| metabase | metabase | >= 0.45.0 < 0.45.4.1 | 0.45.4.1 |
| metabase | metabase | >= 0.46.0 < 0.46.6.1 | 0.46.6.1 |
| metabase | metabase | >= 1.44.0 < 1.44.7.1 | 1.44.7.1 |
| metabase | metabase | >= 1.45.0 < 1.45.4.1 | 1.45.4.1 |
| metabase | metabase | >= 1.46.0 < 1.46.6.1 | 1.46.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandzip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,<base64>}|{base64,-d}|bash')\n$$--=x↗
bytes↗
0x756e672e
- →Alert on HTTP POST requests to /api/setup/validate containing the string 'INFORMATION_SCHEMA.TABLES' combined with '//javascript' in the request body, which is the H2 trigger-based RCE payload pattern. ↗
- →Detect DreamBus UPX-packed ELF modules by scanning for the modified UPX magic bytes 0x756e672e (.gnu) instead of the standard 0x21585055 (UPX!) at the expected UPX header offset. ↗
- →Monitor for creation of the lock file /tmp/.systemd.3 on Linux hosts, which is used by DreamBus exploit modules to prevent multiple concurrent instances. ↗
- →Alert on outbound connections from Metabase server processes to Tor2web domains (*.tor2web.re, *.tor2web.in, *.tor2web.it) or SOCKS5 connections to relay.tor2socks.in:9050, which indicate successful DreamBus post-exploitation. ↗
- →Monitor for the user-agent string '-' (a single dash) in HTTP requests, used by DreamBus curl commands to blend in or avoid logging. ↗
- →Detect exploitation by monitoring for the H2 database engine being specified in POST /api/setup/validate requests from Metabase instances that have already completed setup (setup-token should not be accessible post-setup). ↗
- →Monitor for the beacon pattern 'mb0_' prefix in HTTP referrer/user-agent strings used by DreamBus to identify compromised hosts back to C2 (format: mb0_<public_ip>_<whoami>_<hostname>_<kernel>_<machine-id>). ↗
- ·The setup-token is only exploitable if it remains accessible after Metabase setup is complete; patched versions (0.46.6.1+, 1.46.6.1+, 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, 1.43.7.2) revoke the token post-setup. ↗
- ·The exploit requires the H2 database engine to be available/enabled in the Metabase instance; the payload specifically uses 'zip:/app/metabase.jar!/sample-database.db' to avoid corrupting production databases. ↗
- ·Authentication is not required for exploitation; the /api/session/properties and /api/setup/validate endpoints are publicly accessible on unpatched instances. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jg32-8h6w-x7vg: Metabase open source before 0
ghsa_unreviewed·2023-07-21
CVE-2023-38646 [CRITICAL] GHSA-jg32-8h6w-x7vg: Metabase open source before 0
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
VulnCheck
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 Unauthenticated Command Execution
vulncheck·2023·CVSS 9.8
CVE-2023-38646 [CRITICAL] Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 Unauthenticated Command Execution
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 Unauthenticated Command Execution
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Affected: Metabase Metabase
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2023-38646; https://dashboard.shadowserver
Suricata
ET WEB_SPECIFIC_APPS Metabase Setup-Token Information Disclosure - Required for CVE-2023-38646
suricata·2023-08-02·CVSS 9.8
CVE-2023-38646 [CRITICAL] ET WEB_SPECIFIC_APPS Metabase Setup-Token Information Disclosure - Required for CVE-2023-38646
ET WEB_SPECIFIC_APPS Metabase Setup-Token Information Disclosure - Required for CVE-2023-38646
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Metabase Setup-Token Information Disclosure - Required for CVE-2023-38646"; flow:established,to_client; http.response_body; content:"|22|Metabase|22 2c 22|"; fast_pattern; content:"|22|setup|2d|token|22 3a 22|"; pcre:"/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\x22/R"; reference:url,blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/; reference:cve,2023-38646; classtype:successful-recon-limited; sid:2047018; rev:1; metadata:attack_target Web_Server, created_at 2023_08_02, cve CVE_2023_38646, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity
Suricata
ET WEB_SPECIFIC_APPS Metabase Pre-Auth RCE Attempt - CVE-2023-38646
suricata·2023-08-01·CVSS 9.8
CVE-2023-38646 [CRITICAL] ET WEB_SPECIFIC_APPS Metabase Pre-Auth RCE Attempt - CVE-2023-38646
ET WEB_SPECIFIC_APPS Metabase Pre-Auth RCE Attempt - CVE-2023-38646
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Pre-Auth RCE Attempt - CVE-2023-38646"; flow:established,to_server; http.uri; content:"/api/setup/validate"; fast_pattern; http.request_body; content:"|22|token|22|"; pcre:"/^\s?\x3a\s?\x22[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/R"; content:"|22|db|22|"; pcre:"/^\s?\x3a\s?\x22(?:[Zz][Ii][Pp]|[Mm][Ee][Mm])\x3a/R"; content:"|22|engine|22|"; content:"|22|h2|22|"; within:6; reference:url,twitter.com/httpvoid0x2f; reference:url,blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/; reference:cve,2023-38646; classtype:attempted-admin; sid:2047012; rev:1; metadata:attack_target Web_Server, created_at 2023_08_01, cve C
Exploit-DB
Metabase 0.46.6 - Pre-Auth Remote Code Execution
exploitdb·2024-02-15·CVSS 9.8
CVE-2023-38646 [CRITICAL] Metabase 0.46.6 - Pre-Auth Remote Code Execution
Metabase 0.46.6 - Pre-Auth Remote Code Execution
---
# Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution
# Google Dork: N/A
# Date: 13-10-2023
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://www.metabase.com/
# Software Link: https://www.metabase.com/
# Version: metabase 0.46.6
# Tested on: Ubuntu 22.04, metabase 0.46.6
# CVE : CVE-2023-38646
#!/usr/bin/env python3
import socket
from http.server import HTTPServer, BaseHTTPRequestHandler
from typing import Any
import requests
from socketserver import ThreadingMixIn
import threading
import sys
import argparse
from termcolor import colored
from cmd import Cmd
import re
from base64 import b64decode
class Termial(Cmd):
prompt = "metabase_shell > "
def default(self,args):
shell(args)
class Handler(BaseHTTPRequestHa
Metasploit
Metabase Setup Token RCE
metasploit
Metabase Setup Token RCE
Metabase Setup Token RCE
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6, 0.44.4, 0.42.1.
Nuclei
Metabase < 0.46.6.1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-38646 [CRITICAL] Metabase < 0.46.6.1 - Remote Code Execution
Metabase < 0.46.6.1 - Remote Code Execution
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Template:
id: CVE-2023-38646
info:
name: Metabase < 0.46.6.1 - Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1
Hackernews
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
blogs_hackernews·2026-04-07
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet.
"A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present," Censys security researcher Mark Ellzey said in a report published Monday.
The attack activity, at its core, systemically scans for exposed ComfyUI instances and
Zscaler
DreamBus | ThreatLabz
blogs_zscaler·2024-01-11
DreamBus | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
CTF
Apethanto / Apethanto
ctf_writeups·2023
Apethanto / Apethanto
Apethanto
13th Nov 2023
Prepared By: Amra & C4rm3l0
Challenge Author(s): Amra & C4rm3l0
Difficulty: Easy
Classification: Official
# Synopsis
Apethanto is an Easy Linux machine hosting a Metabase instance that is vulnerable to pre-authentication Remote Code Execution (RCE). By finding the exposed `setup-token`, the attacker leverages the vulnerability to obtain a reverse shell on the target. Once the attacker gets a shell on the remote machine as the user `metabase` he may notice that there is a cron that executes `sudo apt update` from a different TTY terminal. This means, that the user `metabase` has an active SUDO token. Since the user belongs to the `sudo` group, the attacker is able to steal the valid SUDO token in order to get `root` privileges.
# Enumeration
## Nma
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
Analytics / README
ctf_writeups·CVSS 9.8
CVE-2023-38646 [CRITICAL] Analytics / README
# Analytics - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `3000`.
***User***: Identified the subdomain `data.analytics.htb` hosting Metabase. Exploited `CVE-2023-38646` to acquire a reverse shell as the `metabase` user. Discovered the password of the `metalytics` user in the `env`.
***Root***: Leveraged the OS version to execute GameOver(lay) Ubuntu Privilege Escalation, resulting in obtaining a `root` shell.
## Analytics Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[evyatar9@parrot]─[/hackthebox/Analytics]
└──╼ $ nmap -sV -sC -oA nmap/Analytics 10.10.11.233
# Nmap 7.93 scan initiated Sat Jan 6 23:15:29 2024 as:
http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.htmlhttps://github.com/metabase/metabase/issues/32552https://github.com/metabase/metabase/releases/tag/v0.46.6.1https://news.ycombinator.com/item?id=36812256https://www.metabase.com/blog/security-advisoryhttp://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.htmlhttps://github.com/metabase/metabase/issues/32552https://github.com/metabase/metabase/releases/tag/v0.46.6.1https://news.ycombinator.com/item?id=36812256https://www.metabase.com/blog/security-advisory
2023-07-21
Published
Exploited in the wild