CVE-2023-45249
published 2024-07-24CVE-2023-45249: Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-19
Exploited in the wild
EPSS
53.53%
98.9th percentile
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acronis | acronis_cyber_infrastructure | >= unspecified < 5.0.1-61 | 5.0.1-61 |
| acronis | acronis_cyber_infrastructure | >= unspecified < 5.1.1-71 | 5.1.1-71 |
| acronis | acronis_cyber_infrastructure | >= unspecified < 5.2.1-69 | 5.2.1-69 |
| acronis | acronis_cyber_infrastructure | >= unspecified < 5.3.1-53 | 5.3.1-53 |
| acronis | acronis_cyber_infrastructure | >= unspecified < 5.4.4-132 | 5.4.4-132 |
| acronis | cyber_infrastructure | < 5.0.1-61 | 5.0.1-61 |
| acronis | cyber_infrastructure | >= 5.1.1 < 5.1.1-71 | 5.1.1-71 |
| acronis | cyber_infrastructure | >= 5.2.1 < 5.2.1-69 | 5.2.1-69 |
| acronis | cyber_infrastructure | >= 5.3.1 < 5.3.1-53 | 5.3.1-53 |
| acronis | cyber_infrastructure | >= 5.4.4 < 5.4.4-132 | 5.4.4-132 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for PostgreSQL connections on port 6432 using the default credential pair vstoradmin/vstoradmin targeting the 'vstoradmin' database. ↗
- →Alert on the specific PostgreSQL query 'SELECT release_notes_url FROM software_info' issued against port 6432, which is the fingerprinting query used by the exploit to confirm a vulnerable ACI instance. ↗
- →Monitor for unexpected SSH key uploads to the ACI appliance following PostgreSQL authentication, as the exploit chain uses DB access to gain admin portal access and then uploads SSH keys for root access. ↗
- →Flag any external/WAN-facing exposure of PostgreSQL (port 6432) and SSH services on Acronis Cyber Infrastructure hosts, as the attack is fully remote when these services are internet-accessible. ↗
- →Use the Censys search query to identify exposed vulnerable ACI instances: services.http.response.html_title:"Acronis Cyber Infrastructure" and services.port:6432 ↗
- ·The exploit only succeeds if the ACI instance has never had its default PostgreSQL credentials changed. Instances where vstoradmin credentials were rotated post-deployment are not vulnerable via this vector. ↗
- ·The Nuclei template pre-condition checks that port 6432 is open before attempting exploitation; scanners or WAFs blocking this port will prevent the automated exploit but not necessarily manual exploitation. ↗
- ·Affected builds span multiple ACI major versions (5.0, 5.1, 5.2, 5.3, 5.4); patched builds are 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 respectively. Build number can be verified via Help -> About in the ACI main window. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rjfq-p48j-h96h: Remote command execution due to use of default passwords
ghsa_unreviewed·2024-07-24
CVE-2023-45249 [CRITICAL] CWE-1393 GHSA-rjfq-p48j-h96h: Remote command execution due to use of default passwords
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.
VulnCheck
Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-45249 [CRITICAL] CWE-1393 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
Acronis Cyber Infrastructure (ACI) allows an unauthenticated user to execute commands remotely due to the use of default passwords.
Affected: Acronis Cyber Infrastructure (ACI)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://security-advisory.acronis.com/updates/UPD-2310-9e7e-bd9b; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2024-08-19
CISA
Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
cisa·2024-07-29·CVSS 9.8
CVE-2023-45249 [CRITICAL] CWE-1393 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
Vulnerability: Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
Affected: Acronis Cyber Infrastructure (ACI)
Acronis Cyber Infrastructure (ACI) allows an unauthenticated user to execute commands remotely due to the use of default passwords.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://security-advisory.acronis.com/advisories/SEC-6452; https://nvd.nist.gov/vuln/detail/CVE-2023-45249
Remediation Due Date: 2024-08-19
No detection rules found.
Nuclei
Acronis Cyber Infrastructure - Default Password
nuclei·CVSS 9.8
CVE-2023-45249 [CRITICAL] Acronis Cyber Infrastructure - Default Password
Acronis Cyber Infrastructure - Default Password
Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 contain a remote command execution caused by use of default passwords, letting attackers execute arbitrary commands remotely, exploit requires access to the system with default credentials.
Template:
id: CVE-2023-45249
info:
name: Acronis Cyber Infrastructure - Default Password
author: darses
severity: critical
description: |
Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 contain a remote command execution caused by use of default passwords, letting attackers execute arbitrary commands remotely, exploit requires access to the system with default credentials.
impact: |
Attackers can ex
Metasploit
Acronis Cyber Infrastructure default password remote code execution
metasploit
Acronis Cyber Infrastructure default password remote code execution
Acronis Cyber Infrastructure default password remote code execution
Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, compute, and network resources. Businesses and Service Providers are using it for data storage, backup storage, creating and managing virtual machines and software-defined networks, running cloud-native applications in production environments. This module exploits a default password vulnerability in ACI which allow an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. This opens the door for the attacker to upload SSH keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the o
https://security-advisory.acronis.com/advisories/SEC-6452https://www.securityweek.com/acronis-product-vulnerability-exploited-in-the-wild/https://security-advisory.acronis.com/advisories/SEC-6452https://www.securityweek.com/acronis-product-vulnerability-exploited-in-the-wild/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-45249
2024-07-24
Published
2024-07-29
Added to CISA KEV
Exploited in the wild