Login Sign Up

CVE-2023-38378

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on RIGOL MSO5000 digital oscilloscopes by injecting shell metacharacters into password change requests. Attackers can gain full control of the device without authentication. Only users of specific RIGOL oscilloscope models with vulnerable firmware are affected.

💻 Affected Systems

Products:
  • RIGOL MSO5000 digital oscilloscope
Versions: Firmware 00.01.03.00.03
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Web interface must be enabled and accessible. Older firmware versions may also be vulnerable but unconfirmed.

📦 What is this software?

Mso5000 Firmware by Rigol

View all CVEs affecting Mso5000 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the oscilloscope allowing attackers to modify measurements, exfiltrate sensitive data, or use the device as a pivot point into connected networks.

🟠

Likely Case

Unauthorized access to oscilloscope functions, potential data manipulation, and device instability affecting measurement accuracy.

🟢

If Mitigated

Limited to internal network access with proper segmentation, reducing exposure to trusted users only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires network access to the web interface. No authentication needed for the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Check RIGOL website for firmware updates. If update exists: 1. Download firmware from official source 2. Transfer to oscilloscope via USB 3. Follow device update procedure

🔧 Temporary Workarounds

Disable Web Interface

all

Turn off the web interface to prevent remote exploitation

Access device settings menu
Navigate to Network/Web settings
Disable web server/interface

Network Segmentation

all

Isolate oscilloscope on separate VLAN with strict access controls

🧯 If You Can't Patch

  • Disconnect device from network entirely and use local interface only
  • Implement strict firewall rules allowing only trusted IP addresses to access the web interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device settings. If version is 00.01.03.00.03 and web interface is enabled, device is vulnerable.

Check Version:

Check via device menu: System → System Info → Firmware Version

Verify Fix Applied:

Verify firmware version has been updated to a version later than 00.01.03.00.03 or web interface is disabled.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to /webcontrol/changepwd.cgi
  • Failed authentication attempts with shell metacharacters in parameters

Network Indicators:

  • HTTP POST requests to changepwd.cgi containing special characters like ;, |, &, or $
  • Unexpected outbound connections from oscilloscope

SIEM Query:

source="oscilloscope" AND (url="*changepwd.cgi*" AND (param="*;*" OR param="*|*" OR param="*&*" OR param="*$*"))

📊 Metadata

CVE ID: CVE-2023-38378
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: July 16, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38378, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)