CVE-2023-40504
published 2024-05-03CVE-2023-40504: LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.76%
99.7th percentile
LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
. Was ZDI-CAN-19953.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lg | simple_editor | — | — |
| lg | simple_editor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/simpleeditor/common/commonReleaseNotes.do
url/simpleeditor/imageManager/uploadVideo.do
url/simpleeditor/fileSystem/makeDetailContent.do
command/"&cmd&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del {{filename}}.bmp&/../"
path/simpleeditor/
othericon_hash="159985907"
- →The exploit chain involves three sequential unauthenticated HTTP requests: (1) GET to /simpleeditor/common/commonReleaseNotes.do to fingerprint the target, (2) POST to /simpleeditor/imageManager/uploadVideo.do with injected uploadPath, (3) POST to /simpleeditor/fileSystem/makeDetailContent.do to copy/rename the uploaded file to a .jsp webshell.
- →The injected uploadPath value uses Windows cmd chaining (& delimiters) to traverse directories and execute arbitrary commands as NT AUTHORITY\SYSTEM — look for uploadPath values containing &cmd& or similar shell metacharacters in multipart POST bodies.
- →After upload, the attacker calls /simpleeditor/fileSystem/makeDetailContent.do with a JSON body using the 'cp' command to rename the uploaded .bmp to a .jsp file, creating a webshell accessible at /simpleeditor/<filename>.jsp.
- →Presence of a .jsp file under the /simpleeditor/ web root that was recently created via the makeDetailContent.do copy operation may indicate successful exploitation.
- →No authentication is required to exploit this vulnerability; any unauthenticated POST to the affected endpoints should be treated as suspicious. ↗
- ·The vulnerability affects LG Simple Editor versions up to and including v3.21.0 only; later versions are not confirmed vulnerable.
- ·Exploitation executes commands in the context of NT AUTHORITY\SYSTEM (Windows), so detections should be scoped to Windows-hosted deployments of LG Simple Editor. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT LG Simple Editor RCE Attempt Inbound (CVE-2023-40504)
suricata·2025-06-12·CVSS 9.8
CVE-2023-40504 [CRITICAL] ET EXPLOIT LG Simple Editor RCE Attempt Inbound (CVE-2023-40504)
ET EXPLOIT LG Simple Editor RCE Attempt Inbound (CVE-2023-40504)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT LG Simple Editor RCE Attempt Inbound (CVE-2023-40504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploadVideo.do"; fast_pattern; http.request_body; content:"|20|form-data|3b 20|"; pcre:"/^\/?\"\s?&/m"; reference:cve,2023-40504; classtype:attempted-admin; sid:2062917; rev:1; metadata:attack_target Server, created_at 2025_06_12, cve CVE_2023_40504, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2025_06_12; target:dest_ip;)
Nuclei
LG Simple Editor <= v3.21.0 - Command Injection
nuclei·CVSS 9.8
CVE-2023-40504 [CRITICAL] LG Simple Editor <= v3.21.0 - Command Injection
LG Simple Editor <= v3.21.0 - Command Injection
LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the readVideoInfo method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
Template:
id: CVE-2023-40504
info:
name: LG Simple Editor <= v3.21.0 - Command Injection
author: s4e-io
severity: critical
description: |
LG Simple Editor readVideoInfo Command Injection Remote Code Execution Vulnerabili
Metasploit
LG Simple Editor Command Injection (CVE-2023-40504)
metasploit·CVSS 9.8
CVE-2023-40504 [CRITICAL] LG Simple Editor Command Injection (CVE-2023-40504)
LG Simple Editor Command Injection (CVE-2023-40504)
Unauthenticated Command Injection in LG Simple Editor <= v3.21.0. The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.
2024-05-03
Published