VDB

CVE-2023-30801

CVE-2023-30801 PUBLISHED CVSS 9.800000190734863 CRITICAL

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

EPSS 0.63% · 70.6th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.63%
70.6th percentile

Affected Products

VendorProductVersions
qBittorrentqBittorrent client0, 0
qbittorrentqbittorrent0, 0, 0

Exploit Intelligence

Timeline

  • Oct 10, 2023 CVE Published
  • Oct 10, 2023 PoC Published
  • Oct 11, 2023 EPSS Score
  • Nov 11, 2023 EPSS Score
  • Dec 13, 2023 EPSS Score
  • Feb 14, 2024 EPSS Score
  • Mar 16, 2024 EPSS Score
  • Apr 17, 2024 EPSS Score
  • May 18, 2024 EPSS Score
  • Jun 19, 2024 EPSS Score
  • Aug 20, 2024 EPSS Score
  • Sep 21, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›