CVE-2023-26511 in MachineSelector
Summary
by MITRE • 03/14/2023
A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/10/2025
The vulnerability identified as CVE-2023-26511 represents a critical security flaw in the Propius MachineSelector software version 6.6.0 and 6.6.1, specifically affecting the web-based administrative interface. This issue manifests as a hard-coded administrative credential configuration within the software's web user interface, creating an inherent security weakness that directly compromises system integrity. The flaw exists in the Propiusadmin.php administrative panel component, which serves as the primary gateway for system administration functions and access controls.
The technical nature of this vulnerability falls under the category of hardcoded credentials, which is classified as CWE-798 in the Common Weakness Enumeration catalog. This weakness occurs when authentication credentials such as usernames and passwords are embedded directly within the source code or configuration files of an application, making them easily discoverable by unauthorized parties. The flaw enables remote attackers to gain unauthorized administrative access to the system without requiring any legitimate authentication process, effectively bypassing all security controls designed to protect system access. Attackers can exploit this vulnerability by simply accessing the Propiusadmin.php endpoint and using the predetermined credentials to establish administrative control over the affected system.
The operational impact of this vulnerability is severe and far-reaching, as it provides attackers with complete administrative privileges over the targeted system. Once an attacker successfully authenticates using the hardcoded credentials, they can perform any administrative function including but not limited to modifying system configurations, accessing sensitive data, creating or modifying user accounts, installing malicious software, and potentially escalating their access to other connected systems within the network. This vulnerability essentially provides a backdoor that allows attackers to take complete control of the affected system, making it a critical concern for organizations relying on Propius MachineSelector for their operations. The remote nature of the attack means that no local system access is required, making the exploitation process straightforward and accessible to any attacker with internet connectivity.
The attack surface for this vulnerability is particularly concerning as it affects a web-based administrative interface that is typically accessible over the network. According to MITRE ATT&CK framework, this vulnerability maps to the credential access tactic, specifically the technique of hard-coded credentials, which is categorized under T1552.001. Organizations using Propius MachineSelector versions 6.6.0 and 6.6.1 are at significant risk of compromise, as the vulnerability does not require any specialized tools or techniques for exploitation beyond basic web browser access. The flaw represents a fundamental design weakness in the software's security implementation, where security controls were not properly implemented during the development lifecycle. The impact extends beyond immediate system compromise to potential data breaches, service disruption, and regulatory compliance violations that organizations may face due to inadequate security measures. Organizations should immediately implement mitigation strategies including but not limited to updating to patched versions, implementing network segmentation, monitoring for unauthorized access attempts, and conducting comprehensive security assessments to identify any potential exploitation that may have already occurred.