Two severe security issues discovered in the open-source CasaOS personal cloud software could allow attackers to gain arbitrary code execution and take control of vulnerable systems. The vulnerabilities, CVE-2023-37265 and CVE-2023-37266, both have a CVSS score of 9.8 out of a possible 10.
The issues, discovered by Sonar security researcher Thomas Chauchefoin, “allow attackers to get around authentication requirements and gain full access to the CasaOS dashboard.” Even more concerning, CasaOS’ support for third-party applications might be used to execute arbitrary commands on the system in order to establish persistent access to the device or pivot into internal networks. The issues were resolved in version 0.4.4, released by its maintainers IceWhale on July 3, 2023, following responsible disclosure on July 3, 2023.