cbcvebase.
CVE-2023-43320
published 2023-09-27

CVE-2023-43320: An issue in Proxmox Server Solutions GmbH Proxmox VE v.5.4 thru v.8.0, Proxmox Backup Server v.1.1 thru v.3.0, and Proxmox Mail Gateway v.7.1 thru v.8.0 allows…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.99%
58.1th percentile
An issue in Proxmox Server Solutions GmbH Proxmox VE v.5.4 thru v.8.0, Proxmox Backup Server v.1.1 thru v.3.0, and Proxmox Mail Gateway v.7.1 thru v.8.0 allows a remote authenticated attacker to escalate privileges via bypassing the two-factor authentication component.

Affected

3 ranges
VendorProductVersion rangeFixed in
proxmoxbackup_server1.1 – 3.0
proxmoxproxmox_mail_gateway7.1 – 8.0
proxmoxvirtual_environment5.4 – 8.0

Detection & IOCsextracted from sources · hover to see the quote

url/api2/extjs/access/ticket
url/api2/extjs/access/ticket
commandpassword=totp:<6-digit-token>
  • Detect rapid sequential POST requests to /api2/extjs/access/ticket with 'password' field prefixed with 'totp:' followed by 6-digit numeric tokens (000000–999999), indicating TOTP brute-force activity.
  • Alert on high-volume POST requests to /api2/extjs/access/ticket from a single source IP within a short time window, especially with 25 concurrent threads cycling through all 6-digit TOTP values.
  • Monitor for the 'Csrfpreventiontoken' header being reused across a large number of authentication attempts to /api2/extjs/access/ticket, with periodic ticket refresh every 20 minutes to maintain session validity.
  • Flag POST requests to /api2/extjs/access/ticket that include a 'tfa-challenge' parameter alongside a 'password' value starting with 'totp:', as this is the two-stage authentication bypass pattern used in the exploit.
  • Detect ticket refresh requests to /api2/extjs/access/ticket with POST body containing 'realm=pve' and 'new-format=1', which is the first stage of the exploit used to obtain a TFA challenge ticket for subsequent brute-force.
  • ·The exploit requires a known valid username and password — it only bypasses the TOTP second factor, not the primary credential. Detection should account for the attacker already possessing valid credentials.
  • ·The exploit auto-refreshes the session ticket every 20 minutes (before the 30-minute expiry) to sustain a long-running brute-force campaign across all 1,000,000 possible TOTP values. Rate-limiting or lockout policies must cover this extended time window.
  • ·Affected versions span Proxmox VE 5.4 through 8.0, Proxmox Backup Server 1.1 through 3.0, and Proxmox Mail Gateway 7.1 through 8.0. Detection rules should be applied across all these product deployments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.