Login Sign Up

CVE-2023-33367

9.8 CRITICAL
Remote Code Execution SQL Injection

📋 TL;DR

This SQL injection vulnerability in Control ID IDSecure allows unauthenticated attackers to write PHP files to the server's root directory, leading to remote code execution. It affects IDSecure versions 4.7.26.0 and earlier, putting access control systems at risk of complete compromise.

💻 Affected Systems

Products:
  • Control ID IDSecure
Versions: 4.7.26.0 and prior
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations with web interface exposed. SQL injection leads to PHP file write capability.

📦 What is this software?

Control Id Idsecure by Assaabloy

View all CVEs affecting Control Id Idsecure →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full administrative control, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to system compromise, credential theft, and potential ransomware deployment on affected access control systems.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF protection, and restricted database permissions preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection to PHP file write chain makes exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.27.0 or later

Vendor Advisory: https://www.controlid.com.br/en/access-control/idsecure/

Restart Required: Yes

Instructions:

1. Download latest version from Control ID website. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart IDSecure service. 5. Verify version shows 4.7.27.0 or higher.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate IDSecure systems from internet and restrict internal network access

WAF Rules

all

Implement web application firewall rules to block SQL injection patterns

# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Implement strict network access controls to limit connections to IDSecure systems
  • Deploy web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check IDSecure version in web interface or installation directory. Versions 4.7.26.0 or earlier are vulnerable.

Check Version:

Check web interface at /admin or examine installation directory for version files

Verify Fix Applied:

Verify version shows 4.7.27.0 or higher in system information. Test SQL injection attempts should be blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • PHP file creation in web root directory
  • Unauthenticated access attempts to admin endpoints

Network Indicators:

  • SQL injection patterns in HTTP requests
  • POST requests with SQL syntax to vulnerable endpoints
  • Unexpected PHP file uploads

SIEM Query:

source="web_logs" AND (uri="*idsecure*" OR uri="*admin*") AND (message="*sql*" OR message="*union*" OR message="*select*" OR message="*insert*")

📊 Metadata

CVE ID: CVE-2023-33367
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33367, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)