Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2023-30801
PUBLISHEDqBittorrent Web UI Default Credentials Lead to RCE
- Vendor
- qBittorrent
- Product
- qBittorrent client
- Published
- Oct 10, 2023
- EPSS
- —
Description
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2023-10-10 13:46:46 UTC · Source
References
- https://github.com/qbittorrent/qBittorrent/issues/18731
- https://vulncheck.com/advisories/qbittorrent-default-creds
- https://lists.fedoraproject.org/archives/list/[email protected]/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CVE | Oct 10, 2023 |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel