cbcvebase.
CVE-2023-45852
published 2023-10-14

CVE-2023-45852: In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.00%
96.1th percentile
In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.

Affected

1 ranges
VendorProductVersion rangeFixed in
viessmannvitogate_300_firmware<= 2.1.3.0

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/vitogate.cgi
commandPOST /cgi-bin/vitogate.cgi HTTP/1.1 Content-Type: application/json {"method":"put","form":"form-4-8","session":"","params":{"ipaddr":"{{randstr}};cat /etc/passwd"}}
othertraceroute: <randstr>: Unknown host
  • Look for unauthenticated POST requests to /cgi-bin/vitogate.cgi with a JSON body containing the 'put' method and shell metacharacters (e.g., semicolons) in the 'ipaddr' parameter.
  • Successful exploitation response body contains 'traceroute: <injected_string>: Unknown host' and /etc/passwd content (e.g., 'daemon:x:1:1:'), with HTTP 200 and Content-Type: application/json.
  • Use Shodan queries 'title:"Vitogate 300"' or 'http.title:"vitogate 300"' and FOFA queries 'title="Vitogate 300"' to identify exposed Vitogate 300 devices for proactive scanning.
  • The vulnerability resides in the isValidUser function of /cgi-bin/vitogate.cgi; monitor for direct requests to /cgi-bin/ paths without authentication as a related forced-browsing indicator (CVE-2023-5702).
  • ·The exploit payload uses a randomized string ({{randstr}}) as part of the ipaddr injection; detection rules must account for variable content before the semicolon shell metacharacter rather than matching a fixed string.
  • ·All versions 2.1.3.0 and prior are affected; version 3.0.0.0 is the patched release. Detections should target devices still running firmware 2.1.3.0 or earlier.
  • ·A public PoC is available and EPSS score is 0.93587 (99.8th percentile), indicating very high exploitation probability; treat any matching traffic as high-confidence malicious.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.