CVE-2023-24055

MEDIUM EXPLOITED

KeePass < 2.53 - Cleartext Password Exposure via Export Trigger

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-24055 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including alt3kx, deetl, Cyb3rtus.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2023-24055, demonstrating how an attacker with write access to KeePass's configuration file can inject malicious triggers to exfiltrate cleartext passwords via XML export and PowerShell exfiltration.

Description

KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.

Exploits (7)

nomisec WORKING POC 255 stars
by alt3kx · local
https://github.com/alt3kx/CVE-2023-24055_PoC

This repository provides a functional proof-of-concept for CVE-2023-24055, demonstrating how an attacker with write access to KeePass's configuration file can inject malicious triggers to exfiltrate cleartext passwords via XML export and PowerShell exfiltration.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: KeePass 2.5x
Auth required
Prerequisites: Write access to KeePass.config.xml · Victim interaction (e.g., saving the database)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 65 stars
by deetl · infoleak
https://github.com/deetl/CVE-2023-24055

This repository contains a functional proof-of-concept exploit for CVE-2023-24055, which manipulates KeePass's configuration file to add a malicious trigger that exports the database without requiring a master password. The PoC includes both a scanner to detect dangerous triggers and an exploit to inject a malicious export trigger.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: KeePass (versions affected by CVE-2023-24055)
No auth needed
Prerequisites: Access to the target's file system to modify KeePass.config.xml · KeePass installed and configured on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 1 stars
by Cyb3rtus · poc
https://github.com/Cyb3rtus/keepass_CVE-2023-24055_yara_rule

This repository provides a YARA rule to detect potentially compromised KeePass configuration files related to CVE-2023-24055. It does not contain exploit code but aids in identifying affected systems.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: KeePass (versions affected by CVE-2023-24055)
No auth needed
Prerequisites: Access to the target system's file system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by zwlsix · local
https://github.com/zwlsix/KeePass-CVE-2023-24055

This repository provides a functional proof-of-concept for CVE-2023-24055, demonstrating how KeePass's trigger system can be abused to exfiltrate plaintext passwords via a malicious XML configuration. The PoC includes detailed steps and XML payloads to export credentials and send them to an attacker-controlled server using PowerShell.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: KeePass 2.53
No auth needed
Prerequisites: Access to modify KeePass.config.xml · Network connectivity to attacker-controlled server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by julesbozouklian · infoleak
https://github.com/julesbozouklian/PoC_CVE-2023-24055

This PoC exploits CVE-2023-24055 in KeePass by modifying the KeePass.config.xml file to create a malicious trigger that exports database entries in cleartext to a temporary file. The script requires administrative privileges to modify directory permissions and the configuration file.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: KeePass Password Safe 2 versions below 2.53
Auth required
Prerequisites: Administrative privileges · KeePass installed in default directory · User interaction to open KeePass after script execution
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by digital-dev · poc
https://github.com/digital-dev/KeePass-TriggerLess

The repository contains source code files from KeePass, specifically focusing on the 'TriggerLess' modification. It includes configuration and application definition files but lacks explicit exploit code or technical analysis of CVE-2023-24055.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: KeePass 2.53.1
No auth needed
Prerequisites: Access to KeePass source code · Understanding of KeePass triggers and configuration
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by yosef0x01 · poc
https://github.com/yosef0x01/CVE-2023-24055

This PowerShell script exploits CVE-2023-24055 in KeePass by modifying the XML configuration file to add an export trigger, allowing cleartext password extraction and optional exfiltration to a remote URL. It demonstrates the vulnerability by altering KeePass triggers to export credentials to a specified file and optionally upload them via a crafted PowerShell command.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: KeePass up to 2.53
No auth needed
Prerequisites: Write access to KeePass configuration file · KeePass installed with default settings
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.5
EPSS 0.0366
EPSS Percentile 88.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2023-04-24
CWE
CWE-312
Status published
Products (1)
keepass/keepass < 2.53
Published Jan 22, 2023
Tracked Since Feb 18, 2026