CVE-2023-30801
qBittorrent Web UI Default Credentials Lead to RCE
In short
qBittorrent's web interface uses default credentials that don't have to be changed, allowing anyone to log in and run commands on the computer. This is a critical flaw because attackers can take full control of the system.
Technical detail
CWE-1392 involves use of default credentials in the web UI of qBittorrent versions ≤4.5.5; no mandatory credential change exists. Remote attackers can authenticate with known defaults and leverage the "external program" feature to achieve arbitrary code execution on the host system. Exploitation was observed in the wild as of March 2023.
Summary generated and translated by AI from the official description.
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
qBittorrent · qBittorrent clientWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/qbittorrent/qBittorrent/issues/18731https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/https://vulncheck.com/advisories/qbittorrent-default-creds