Login Sign Up

CVE-2023-30990

8.6 HIGH
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary CL commands as the QUSER account on IBM i systems by exploiting the DDM architecture. It affects IBM i versions 7.2, 7.3, 7.4, and 7.5. Attackers can potentially gain unauthorized access and execute commands with QUSER privileges.

💻 Affected Systems

Products:
  • IBM i
Versions: 7.2, 7.3, 7.4, 7.5
Operating Systems: IBM i
Default Config Vulnerable: ⚠️ Yes
Notes: All IBM i systems running affected versions with DDM services enabled are vulnerable.

📦 What is this software?

I by Ibm

View all CVEs affecting I →

I by Ibm

View all CVEs affecting I →

I by Ibm

View all CVEs affecting I →

I by Ibm

View all CVEs affecting I →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of IBM i system, executes arbitrary commands as QUSER, accesses sensitive data, modifies system configurations, or installs persistent backdoors.

🟠

Likely Case

Attacker executes CL commands with QUSER privileges to access files, run programs, or modify system settings, potentially leading to data theft or system disruption.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated systems with minimal critical data exposure.

🌐 Internet-Facing: HIGH - Remote exploitation capability means internet-facing IBM i systems are at significant risk.
🏢 Internal Only: MEDIUM - Internal systems are vulnerable but require network access; risk depends on internal segmentation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Remote exploitation without authentication makes this particularly dangerous. DDM architecture exploitation suggests network-based attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply IBM i Group PTFs as specified in IBM advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/7008573

Restart Required: Yes

Instructions:

1. Review IBM advisory 7008573. 2. Apply required PTFs for your IBM i version. 3. Restart system as required. 4. Verify patch application.

🔧 Temporary Workarounds

Disable DDM Services

ibmi

Disable Distributed Data Management services if not required

ENDTCPSVR SERVER(*DDM)
CHGNETA SVRCNN(*DDM) STATUS(*STOPPED)

Network Segmentation

all

Restrict network access to IBM i DDM ports (446, 8470-8476)

🧯 If You Can't Patch

  • Implement strict network access controls to IBM i systems
  • Monitor for unusual CL command execution by QUSER account

🔍 How to Verify

Check if Vulnerable:

Check IBM i version with DSPSYSVAL QVERSION and verify if PTFs from IBM advisory are applied

Check Version:

DSPSYSVAL QVERSION

Verify Fix Applied:

Verify PTF application with WRKPTFGRP and check system logs for successful patch installation

📡 Detection & Monitoring

Log Indicators:

  • Unusual CL command execution by QUSER
  • Failed authentication attempts to DDM services
  • Unexpected network connections to DDM ports

Network Indicators:

  • Traffic to IBM i ports 446, 8470-8476 from unexpected sources
  • DDM protocol anomalies

SIEM Query:

source="ibm_i" AND (user="QUSER" AND command="*CMD") OR dest_port IN (446, 8470, 8471, 8472, 8473, 8474, 8475, 8476)

📊 Metadata

CVE ID: CVE-2023-30990
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CWE: CWE-94
Published: July 4, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30990, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)