CVE-2023-30801
📋 TL;DR
CVE-2023-30801 is a critical vulnerability in qBittorrent where the web interface uses default credentials (admin:adminadmin) that cannot be changed during setup. This allows remote attackers to authenticate and execute arbitrary operating system commands via the external program feature. All users running qBittorrent with the web UI enabled are affected.
💻 Affected Systems
- qBittorrent
📦 What is this software?
Qbittorrent by Qbittorrent
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise - attacker gains complete control over the host system, can install malware, exfiltrate data, or pivot to other systems.
Likely Case
Remote code execution leading to cryptocurrency mining, ransomware deployment, or botnet enrollment.
If Mitigated
No impact if web UI is disabled or proper authentication controls are implemented.
🎯 Exploit Status
Exploited in the wild since March 2023. Attackers only need to authenticate with default credentials and use the external program feature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None - vulnerability not fixed as of 4.5.5
Vendor Advisory: https://github.com/qbittorrent/qBittorrent/issues/18731
Restart Required: No
Instructions:
No official patch available. Apply workarounds or disable vulnerable features.
🔧 Temporary Workarounds
Disable Web UI
allCompletely disable the web user interface to prevent remote access.
Edit qBittorrent configuration file and set WebUI\Enabled=false
Change Default Credentials
allManually change the default admin password in qBittorrent settings.
Login to web UI with admin:adminadmin, go to Tools > Options > Web UI, change password
Restrict Network Access
linuxConfigure firewall to block external access to qBittorrent web UI port (default 8080).
sudo ufw deny 8080/tcp
netsh advfirewall firewall add rule name="Block qBittorrent WebUI" dir=in action=block protocol=TCP localport=8080
🧯 If You Can't Patch
- Disable the web user interface immediately
- Implement network segmentation and firewall rules to restrict access to qBittorrent web UI
🔍 How to Verify
Check if Vulnerable:
Check if web UI is enabled and accessible, then attempt to login with admin:adminadmin credentials.Check Version:
qBittorrent: Help > About (GUI) or qbittorrent --version (CLI)Verify Fix Applied:
Verify web UI is disabled or requires strong authentication, and default credentials no longer work.📡 Detection & Monitoring
Log Indicators:
- Failed login attempts followed by successful login with admin account
- Web UI authentication logs showing default credential use
- System logs showing unexpected process execution
Network Indicators:
- Inbound connections to qBittorrent web UI port (default 8080) from unexpected sources
- Outbound connections from qBittorrent host to suspicious IPs
SIEM Query:
source="qbittorrent.log" AND (event="login" AND user="admin") OR (event="external_program_execution")🔗 References
- https://github.com/qbittorrent/qBittorrent/issues/18731
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/
- https://vulncheck.com/advisories/qbittorrent-default-creds
- https://github.com/qbittorrent/qBittorrent/issues/18731
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/
- https://vulncheck.com/advisories/qbittorrent-default-creds
