CVE-2023-49032 – CVE-2023-49032 is a critical vulnerability in L... (How to Fix)

Q: What is the severity of CVE-2023-49032?

CVE-2023-49032 has a CVSS score of 9.8 (CRITICAL). CVE-2023-49032 is a critical vulnerability in LTB Self Service Password that allows remote attackers to hijack SMS verification codes and send them to arbitrary phone numbers. This enables attackers to bypass authentication, execute arbitrary code, and access sensitive information. All organizations using LTB Self Service Password versions before 1.5.4 are affected.

📋 TL;DR

CVE-2023-49032 is a critical vulnerability in LTB Self Service Password that allows remote attackers to hijack SMS verification codes and send them to arbitrary phone numbers. This enables attackers to bypass authentication, execute arbitrary code, and access sensitive information. All organizations using LTB Self Service Password versions before 1.5.4 are affected.

💻 Affected Systems

Products:

LTB Self Service Password

Versions: All versions before 1.5.4

Operating Systems: All operating systems running LTB Self Service Password

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation with SMS verification enabled is vulnerable. The vulnerability exists in the SMS verification functionality.

📦 What is this software?

Self Service Password by Ltb Project

View all CVEs affecting Self Service Password →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, administrative access to the password reset system, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized password resets for user accounts, privilege escalation, and potential access to sensitive user data.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept code is publicly available, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.4

Vendor Advisory: https://github.com/ltb-project/self-service-password/issues/816

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download version 1.5.4 from the official repository. 3. Replace existing installation with the patched version. 4. Restart the web service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable SMS Verification

all

Temporarily disable SMS-based password reset functionality to prevent exploitation

Edit configuration file to set 'sms' => false in authentication settings

Network Restriction

linux

Restrict access to the self-service password portal to trusted IP ranges only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP_RANGE -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP_RANGE -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable system
Enable detailed logging and monitoring for all SMS verification attempts

🔍 How to Verify

Check if Vulnerable:

Check the version number in the application's admin interface or configuration files. If version is below 1.5.4, the system is vulnerable.

Check Version:

grep -i version /path/to/self-service-password/config/*.php or check the web interface footer

Verify Fix Applied:

After patching, verify the version shows 1.5.4 or higher and test SMS verification functionality with controlled tests.

📡 Detection & Monitoring

Log Indicators:

Multiple failed SMS verification attempts from single IP
SMS verification requests to unusual phone numbers
Unusual patterns in password reset logs

Network Indicators:

Unusual spikes in traffic to SMS API endpoints
Requests to SMS verification endpoints from unexpected sources

SIEM Query:

source="self-service-password.log" AND (sms_verification OR password_reset) AND status="success" | stats count by src_ip, phone_number

📊 Metadata

CVE ID: CVE-2023-49032

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: December 21, 2023

Last Updated: April 24, 2025

🔗 References

https://github.com/ltb-project/self-service-password/issues/816 Issue Tracking
https://github.com/piuppi/Proof-of-Concepts/blob/main/ltb-project/README.md Third Party Advisory
https://github.com/ltb-project/self-service-password/issues/816 Issue Tracking
https://github.com/piuppi/Proof-of-Concepts/blob/main/ltb-project/README.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49032, you might also want to check these: