Description
Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform a telnet handshake, and send fork commands to download and execute malicious Java code, establishing a reverse shell connection.
Published: 2026-05-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper restriction of privileges in the Eclipse Equinox OSGi console, allowing any unauthenticated user who can reach the console port to execute arbitrary Java code by using the fork command. An attacker can open a telnet session, complete the handshake, send a fork command that downloads malicious code, and the code runs with the privileges of the OSGi framework, effectively creating a reverse shell.

Affected Systems

Vendor equinox: OSGi, impacted versions 3.8 through 3.18.

Risk and Exploitability

The CVSS score is 9.3, indicating critical severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV. Attackers need network access to the OSGi console but no authentication, making exploitation straightforward for anyone with connectivity to the console port.

Generated by OpenCVE AI on May 5, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Equinox OSGi to the latest version that removes the insecure console access or applies the vendor patch that disables the fork command.
  • Restrict network access to the OSGi console by configuring firewalls or segmenting the network so only trusted hosts can reach the console port.
  • If upgrading is not immediately possible, disable the OSGi console or remove the fork command from the console command set to eliminate the attack vector.

Generated by OpenCVE AI on May 5, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform a telnet handshake, and send fork commands to download and execute malicious Java code, establishing a reverse shell connection.
Title Eclipse Equinox OSGi 3.8-3.18 Console Remote Code Execution
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T14:57:23.089Z

Reserved: 2026-01-10T01:51:52.984Z

Link: CVE-2023-54342

cve-icon Vulnrichment

Updated: 2026-05-05T14:57:15.444Z

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:15.650

Modified: 2026-05-05T12:16:15.650

Link: CVE-2023-54342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T12:30:24Z

Weaknesses