CVE-2023-48390 – Multisuns EasyLog web+ has a critical code inje... (How to Fix)

Q: What is the severity of CVE-2023-48390?

CVE-2023-48390 has a CVSS score of 9.8 (CRITICAL). Multisuns EasyLog web+ has a critical code injection vulnerability (CWE-94) that allows unauthenticated remote attackers to execute arbitrary code on affected systems. This enables complete system compromise, allowing attackers to perform any system operations or disrupt services. Organizations using vulnerable versions of EasyLog web+ are affected.

📋 TL;DR

Multisuns EasyLog web+ has a critical code injection vulnerability (CWE-94) that allows unauthenticated remote attackers to execute arbitrary code on affected systems. This enables complete system compromise, allowing attackers to perform any system operations or disrupt services. Organizations using vulnerable versions of EasyLog web+ are affected.

💻 Affected Systems

Products:

Multisuns EasyLog web+

Versions: Specific versions not detailed in provided references, but all versions before patched version are likely affected

Operating Systems: Any OS running EasyLog web+

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web interface component, affecting all deployments unless specifically patched.

📦 What is this software?

Easylog Web\+ Firmware by Multisuns

View all CVEs affecting Easylog Web\+ Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with full administrative control, data theft, ransomware deployment, and permanent system destruction.

🟠

Likely Case

Initial foothold leading to lateral movement, data exfiltration, and deployment of additional malware payloads.

🟢

If Mitigated

Limited impact if properly segmented and monitored, but still potential for service disruption.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS 9.8 indicates trivial exploitation with high impact. Unauthenticated nature makes this highly attractive for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided references

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-7605-2d86d-1.html

Restart Required: Yes

Instructions:

1. Contact Multisuns for latest patched version. 2. Backup configuration and data. 3. Apply vendor-provided patch. 4. Restart EasyLog web+ service. 5. Verify patch application.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate EasyLog web+ instances from internet and restrict internal network access

Web Application Firewall

all

Deploy WAF with code injection protection rules

🧯 If You Can't Patch

Immediately take affected systems offline until patched
Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check EasyLog web+ version against vendor advisory. Monitor for unexpected code execution or system modifications.

Check Version:

Check EasyLog web+ administration interface or configuration files for version information

Verify Fix Applied:

Verify patch version installation and test that code injection attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual code execution patterns
Unexpected system commands in logs
Authentication bypass attempts

Network Indicators:

Unusual outbound connections from EasyLog server
Suspicious payloads in HTTP requests

SIEM Query:

source="easylog" AND (event="code_execution" OR event="unauthorized_access")

📊 Metadata

CVE ID: CVE-2023-48390

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: December 15, 2023

Last Updated: November 21, 2024

🔗 References

https://www.twcert.org.tw/tw/cp-132-7605-2d86d-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7605-2d86d-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48390, you might also want to check these: