Login Sign Up

CVE-2023-46947

8.8 HIGH
Remote Code Execution

📋 TL;DR

Subrion CMS 4.2.1 contains a remote command execution vulnerability in the backend that allows authenticated attackers to execute arbitrary commands on the server. This affects all Subrion installations running version 4.2.1 with default configurations. Attackers with backend access can compromise the entire server.

💻 Affected Systems

Products:
  • Subrion CMS
Versions: 4.2.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires backend/admin access to exploit. All default installations of Subrion 4.2.1 are vulnerable.

📦 What is this software?

Subrion by Intelliants

View all CVEs affecting Subrion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, lateral movement to other systems, and complete system takeover.

🟠

Likely Case

Attackers gain shell access to the web server, install backdoors, steal sensitive data, and use the server for further attacks.

🟢

If Mitigated

With proper network segmentation and least privilege, impact limited to the web application server only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated backend access. Public proof-of-concept available in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.2 or later

Vendor Advisory: https://github.com/intelliants/subrion/issues/909

Restart Required: No

Instructions:

1. Backup your Subrion installation and database. 2. Download latest version from official Subrion website. 3. Replace all files except configuration and uploads directories. 4. Run update script if provided. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict Backend Access

all

Limit access to Subrion backend/admin panel to trusted IP addresses only

# Add to .htaccess in admin directory:
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8

Disable PHP Execution in Uploads

linux

Prevent PHP execution in upload directories to limit impact

# Add to .htaccess in uploads directory:
<Files *.php>
    Deny from all
</Files>

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Subrion server from critical systems
  • Enable detailed logging and monitoring for suspicious backend activity and file uploads

🔍 How to Verify

Check if Vulnerable:

Check Subrion version in admin panel or look for version 4.2.1 in source code

Check Version:

grep -r '4.2.1' /path/to/subrion/installation/ || cat /path/to/subrion/includes/constants.php | grep 'IA_VERSION'

Verify Fix Applied:

Verify version is 4.2.2 or higher in admin panel or configuration files

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to backend
  • Suspicious POST requests to admin endpoints
  • PHP execution attempts in upload directories

Network Indicators:

  • Unexpected outbound connections from web server
  • Shell command patterns in HTTP requests

SIEM Query:

source="web_logs" AND (uri="*/admin/*" AND (method="POST" AND size>10000)) OR (uri="*/uploads/*.php")

📊 Metadata

CVE ID: CVE-2023-46947
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: November 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46947, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)