CVE-2023-38198
CRITICAL EXPLOITED IN THE WILDacme.sh < 3.0.6 - Remote Code Execution via Eval of Untrusted Commands
Title source: llmExploitation Summary
CVE-2023-38198 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.
References (7)
Core 7
Core References
Issue Tracking, Third Party Advisory
https://github.com/acmesh-official/acme.sh/issues/4659
Third Party Advisory
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
Third Party Advisory
https://news.ycombinator.com/item?id=36252310
Third Party Advisory
https://news.ycombinator.com/item?id=36254093
Third Party Advisory
https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/07/13/1
Scores
CVSS v3
9.8
EPSS
0.0093
EPSS Percentile
56.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2023-07-12
InTheWild.io
2023-07-13
CWE
CWE-94
Status
published
Products (1)
acme.sh_project/acme.sh
< 3.0.6
Published
Jul 13, 2023
Tracked Since
Feb 18, 2026