CVE-2023-0391

HIGH

MGT-COMMERCE CloudPanel <2.2.1 - Info Disclosure

Title source: llm

Description

MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.

References (2)

[Exploit, Third Party Advisory] https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-cloudpanel-shared-certificate-vulnerability-and-weak-installation-procedures/

[Exploit, Press/Media Coverage, Third Party Advisory] https://www.bleepingcomputer.com/news/security/cloudpanel-installations-use-the-same-ssl-certificate-private-key/

Scores

CVSS v3 8.1

EPSS 0.0018

EPSS Percentile 38.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-321 CWE-798

Status published

Products (1)

mgt-commerce/cloudpanel < 2.2.1

Published Mar 21, 2023

Tracked Since Feb 18, 2026