CVE-2023-54344

Eclipse Equinox OSGi versions 3.7.2 and earlier contain a remote code execution vulnerability in the console interface. This flaw, tracked as CVE-2023-54344 and published on 2026-05-05, allows attackers to execute arbitrary commands by sending specially crafted payloads. It is associated with CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability by connecting to the exposed OSGi console port and transmitting base64-encoded bash commands wrapped in fork directives. Successful exploitation enables arbitrary code execution on the target system, including the establishment of reverse shell connections for persistent access and further compromise.

Advisories and related resources, including a Vulncheck advisory on the Eclipse Equinox OSGi remote code execution and an Exploit-DB entry (exploit 51879), provide details on the issue, with the latter publishing a proof-of-concept exploit. No specific patch or mitigation details are outlined in the core CVE information.