CVE-2023-30801
CRITICAL EXPLOITED IN THE WILDqBittorrent <= 4.5.5 - Unauthenticated Remote Code Execution via Default Credentials
Title source: llmExploitation Summary
CVE-2023-30801 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/
Issue Tracking issue-tracking
https://github.com/qbittorrent/qBittorrent/issues/18731
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/qbittorrent-default-creds
Scores
CVSS v3
9.8
EPSS
0.0091
EPSS Percentile
55.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2023-03-19
InTheWild.io
2023-10-10
CWE
CWE-1392
CWE-798
Status
published
Products (1)
qbittorrent/qbittorrent
< 4.5.5
Published
Oct 10, 2023
Tracked Since
Feb 18, 2026