CVE-2023-2523 – This critical vulnerability in Weaver E-Office ... (How to Fix)

Q: What is the severity of CVE-2023-2523?

CVE-2023-2523 has a CVSS score of 7.3 (HIGH). This critical vulnerability in Weaver E-Office 9.5 allows remote attackers to upload arbitrary files without restrictions via the mobile_upload_save function. This can lead to remote code execution and complete system compromise. Organizations using Weaver E-Office 9.5 are affected.

📋 TL;DR

This critical vulnerability in Weaver E-Office 9.5 allows remote attackers to upload arbitrary files without restrictions via the mobile_upload_save function. This can lead to remote code execution and complete system compromise. Organizations using Weaver E-Office 9.5 are affected.

💻 Affected Systems

Products:

Weaver E-Office

Versions: 9.5 (specific patch level unknown)

Operating Systems: All platforms running Weaver E-Office

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. The vendor did not respond to disclosure attempts.

📦 What is this software?

E Office by E Office

View all CVEs affecting E Office →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system takeover, data exfiltration, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Webshell upload leading to persistent backdoor access, data theft, and potential privilege escalation.

🟢

If Mitigated

File upload attempts blocked at WAF or detected by security monitoring with no successful exploitation.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to internal attackers or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Block access to the vulnerable ajax.php endpoint at the web server or WAF level

# Apache: RewriteRule ^App/Ajax/ajax\.php\?action=mobile_upload_save - [F,L]
# Nginx: location ~* /App/Ajax/ajax\.php\?action=mobile_upload_save { return 403; }

Restrict file upload types

all

Configure web application firewall to block suspicious file uploads

# ModSecurity rule: SecRule ARGS:upload_quwan "@rx \.(php|asp|aspx|jsp|pl)" "id:1001,phase:2,deny,msg:'Blocked malicious file upload'"

🧯 If You Can't Patch

Isolate the Weaver E-Office server in a separate network segment with strict firewall rules
Implement application-level monitoring for file upload activities and suspicious POST requests to ajax.php

🔍 How to Verify

Check if Vulnerable:

Check if Weaver E-Office version 9.5 is installed and test file upload functionality at /App/Ajax/ajax.php?action=mobile_upload_save

Check Version:

Check application version in admin panel or look for version files in installation directory

Verify Fix Applied:

Test if file upload restrictions are properly enforced and the vulnerable endpoint is blocked

📡 Detection & Monitoring

Log Indicators:

POST requests to /App/Ajax/ajax.php with action=mobile_upload_save
File uploads with suspicious extensions (.php, .jsp, .asp)
Unusual file creation in upload directories

Network Indicators:

HTTP POST requests to vulnerable endpoint with file upload parameters
Outbound connections from the Weaver server to unknown IPs

SIEM Query:

source="weaver_logs" AND (url="/App/Ajax/ajax.php" AND parameters CONTAINS "mobile_upload_save")

📊 Metadata

CVE ID: CVE-2023-2523

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-434

Published: May 4, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/RCEraser/cve/blob/main/Weaver.md Exploit
https://vuldb.com/?ctiid.228014 Permissions Required,Third Party Advisory
https://vuldb.com/?id.228014 Permissions Required,Third Party Advisory
https://github.com/RCEraser/cve/blob/main/Weaver.md Exploit
https://vuldb.com/?ctiid.228014 Permissions Required,Third Party Advisory
https://vuldb.com/?id.228014 Permissions Required,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2523, you might also want to check these: