cbcvebase.
CVE-2023-46818
published 2023-10-27

CVE-2023-46818: An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is…

PriorityP356high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
13.89%
96.1th percentile
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.

Affected

2 ranges
VendorProductVersion rangeFixed in
ispconfigispconfig< 3.2.113.2.11
ispconfigispconfig

Detection & IOCsextracted from sources · hover to see the quote

url/admin/language_edit.php
path/admin/language_edit.php
command'];file_put_contents('{{websh-file}}',base64_decode('{{websh-base64}}'));die;#
  • Detect the PHP injection pattern in language_edit.php requests: a records parameter value beginning with ']; followed by file_put_contents and base64_decode, indicating an attempt to write a webshell.
  • Alert on GET requests to /admin/*.php files with a custom 'C' header containing a base64-encoded OS command — this is the webshell command execution pattern used post-exploitation.
  • The exploit requires admin_allow_langedit to be enabled; the Metasploit module will attempt to enable it automatically if disabled — monitor for unexpected changes to ISPConfig system configuration settings.
  • Watch for newly created .php files in the /admin/ directory of ISPConfig, especially with random alphanumeric names (32 chars), as the exploit drops a webshell there via file_put_contents.
  • ·The vulnerability is only exploitable when the ISPConfig setting 'admin_allow_langedit' is enabled. If this setting is disabled, the attack surface does not exist.
  • ·The Metasploit module targets authenticated administrators only — this is a post-authentication vulnerability requiring high-privilege credentials (PR:H in CVSS).
  • ·Affected versions are ISPConfig before 3.2.11p1. Detection rules should be scoped to unpatched instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.