CVE-2023-45161 CRITICAL

CVE-2023-45161: 1E-Exchange-URLResponseTime instruction before v20.1 allows arbitrary code execution

Vendor 1E

Product Platform

Weakness CWE-20 · Input validation

Published November 6, 2023

Last update June 18, 2025

View on NVD All CVEs

CVSS base score

9.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UI

Key dates

02Disclosure timeline

November 6, 2023 CVE published

June 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-45161

Related vulnerabilities

CVE-2023-45161: 1E-Exchange-URLResponseTime instruction before v20.1 allows arbitrary code execution

01Description

02Disclosure timeline

03References

04Related CVE