CVE-2023-37756
📋 TL;DR
CVE-2023-37756 allows attackers to brute-force administrator passwords in i-doit IT documentation software due to weak password requirements. This can lead to full system compromise through malicious plugin uploads. Affects i-doit pro and open versions 25 and below.
💻 Affected Systems
- i-doit pro
- i-doit open
📦 What is this software?
I Doit by I Doit
I Doit by I Doit
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution through malicious plugin upload after gaining administrator access
Likely Case
Unauthorized administrator access leading to data theft, system manipulation, and potential ransomware deployment
If Mitigated
Limited to failed login attempts if strong passwords and rate limiting are enforced
🎯 Exploit Status
Exploitation requires access to login interface but uses simple brute-force techniques
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 26 or later
Vendor Advisory: https://www.i-doit.com/en/security/
Restart Required: No
Instructions:
1. Backup your i-doit installation and database. 2. Download i-doit version 26 or later from official sources. 3. Follow the official upgrade documentation. 4. Verify password policies are enforced.
🔧 Temporary Workarounds
Enforce Strong Password Policy
allImplement minimum password length (12+ characters), complexity requirements, and account lockout policies
Configure via i-doit admin interface: System settings > Security > Password policy
Implement Rate Limiting
allLimit login attempts to prevent brute-force attacks
Configure via web server (e.g., Apache mod_evasive, Nginx limit_req) or WAF
🧯 If You Can't Patch
- Implement network-level controls: Restrict access to i-doit interface via firewall rules, VPN, or zero-trust network access
- Enable multi-factor authentication if supported, or implement compensating controls like regular password rotation and monitoring
🔍 How to Verify
Check if Vulnerable:
Check i-doit version in admin interface: Help > About. If version is 25 or below, system is vulnerableCheck Version:
Check via web interface or database: SELECT value FROM isys_settings WHERE isys_settings__key = 'system.version'Verify Fix Applied:
After upgrade, verify version is 26+ and test that weak passwords are rejected during account creation📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts for admin accounts
- Successful admin login from unusual IP addresses
- Plugin upload events
Network Indicators:
- High volume of POST requests to /admin/login
- Traffic patterns consistent with brute-force tools
SIEM Query:
source="i-doit-logs" (event="login_failed" user="admin" count>10 within 5min) OR (event="plugin_upload" user="admin")🔗 References
- https://github.com/leekenghwa/CVE-2023-37756-CWE-521-lead-to-malicious-plugin-upload-in-the-i-doit-Pro-25-and-below/blob/main/README.md
- https://medium.com/%40ray.999/idoit-pro-v25-and-below-weak-password-add-on-upload-to-rce-cve-2023-37756-fa1b18433ca3
- https://github.com/leekenghwa/CVE-2023-37756-CWE-521-lead-to-malicious-plugin-upload-in-the-i-doit-Pro-25-and-below/blob/main/README.md
- https://medium.com/%40ray.999/idoit-pro-v25-and-below-weak-password-add-on-upload-to-rce-cve-2023-37756-fa1b18433ca3
