Login Sign Up

CVE-2023-37266

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2023-37266 allows unauthenticated attackers to bypass authentication in CasaOS by crafting arbitrary JWTs, gaining root access to execute arbitrary commands. This affects all CasaOS instances running vulnerable versions. The vulnerability enables complete system compromise.

💻 Affected Systems

Products:
  • CasaOS
Versions: All versions before 0.4.4
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Casaos by Icewhale

View all CVEs affecting Casaos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, data theft, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated attackers gain root access to execute arbitrary commands, potentially compromising the entire CasaOS instance and underlying host.

🟢

If Mitigated

No impact if properly patched or isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable by any attacker without authentication.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting a JWT with specific claims. Public technical details and proof-of-concept code are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.4

Vendor Advisory: https://github.com/IceWhaleTech/CasaOS/security/advisories/GHSA-m5q5-8mfw-p2hr

Restart Required: Yes

Instructions:

1. Backup CasaOS data and configuration. 2. Stop CasaOS service. 3. Update to version 0.4.4 using your package manager or manual installation. 4. Restart CasaOS service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to CasaOS to trusted IP addresses only

sudo ufw allow from TRUSTED_IP to any port 80,443
sudo ufw deny from any to any port 80,443

🧯 If You Can't Patch

  • Immediately restrict network access to CasaOS to trusted IP addresses only
  • Consider temporarily disabling CasaOS until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check CasaOS version. If version is below 0.4.4, the system is vulnerable.

Check Version:

casaos --version || grep version /usr/local/casaos/version.txt

Verify Fix Applied:

Verify CasaOS version is 0.4.4 or higher and test authentication requirements for API endpoints.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication attempts with crafted JWTs
  • Root-level command execution from unauthenticated sources
  • Failed JWT validation logs

Network Indicators:

  • Unauthenticated API requests to sensitive endpoints
  • Unusual outbound connections from CasaOS host

SIEM Query:

source="casaos" AND (event="authentication_failure" OR event="root_command")

📊 Metadata

CVE ID: CVE-2023-37266
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: July 17, 2023
Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37266, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)