vulnerability

Debian: CVE-2023-30801: qbittorrent -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Oct 10, 2023	May 15, 2025	Aug 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Oct 10, 2023

Added

May 15, 2025

Modified

Aug 15, 2025

Description

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

Solution

no-fix-debian-deb-package

References

CVE-2023-30801
https://attackerkb.com/topics/CVE-2023-30801
CWE-1392
CWE-798

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today