Description
Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives to achieve code execution and establish reverse shell connections.
Published: 2026-05-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Eclipse Equinox OSGi 3.7.2 and earlier allow attackers to execute arbitrary commands through the console interface. An unauthenticated attacker can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives, enabling remote code execution and the establishment of reverse shell connections.

Affected Systems

The vulnerability affects the Eclipse Equinox OSGi platform, version 3.7.2 and earlier. Systems running these versions are vulnerable unless the console interface is disabled or upgraded.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity, and the absence of an EPSS score or KEV listing does not diminish the risk of exploitation. Because the flaw permits unauthenticated command execution via a network-accessible console port, attackers can readily exploit it without any credentials. The high severity and ease of exploitation make this a critical threat for exposed Equinox OSGi environments.

Generated by OpenCVE AI on May 5, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to Eclipse Equinox OSGi 3.7.3 or later, which implements authentication controls for the console and eliminates the unauthenticated execution path.
  • Configure the OSGi console to require authentication and restrict its network exposure; disable the console if it is not needed.
  • Block external access to the console port using firewalls or segmentation, and monitor for unauthorized console activity.

Generated by OpenCVE AI on May 5, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives to achieve code execution and establish reverse shell connections.
Title Eclipse Equinox OSGi 3.7.2 Remote Code Execution via Console
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T14:12:54.330Z

Reserved: 2026-01-10T01:51:52.984Z

Link: CVE-2023-54344

cve-icon Vulnrichment

Updated: 2026-05-05T14:03:36.237Z

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:16.710

Modified: 2026-05-05T12:16:16.710

Link: CVE-2023-54344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:00:07Z

Weaknesses