CVE-2023-51947

Vulnerability

The vulnerability is an improper access control flaw in the nasSvr.php endpoint of actidata actiNAS SL 2U-8 RDX firmware version 3.2.03-SP1. The web application does not enforce authentication for multiple operations exposed through this endpoint, allowing unauthenticated access to functions that read and write data. The product is marked as End of Life [1].

Exploitation

An attacker can exploit this by sending crafted HTTP GET or POST requests to nasSvr.php with the appropriate func and op parameters. No prior authentication or user interaction is required. The attacker can leverage a site-wide directory listing (CVE-2023-51948) to discover the exact parameter structure from client-side JavaScript files under /app/model [2]. For example, requesting /nasSvr.php?func=getSysLogList returns system logs without authentication [2]. Similarly, operations such as accountMgr&op=getAccList, accountMgr&op=addAcc, accountMgr&op=delAcc, storageMgr&op=getArrayList, and homeMgr&op=getMgrAppList are all accessible without authorization [2].

Impact

Successful exploitation allows an unauthenticated remote attacker to read sensitive information (e.g., account lists, system logs, disk configurations, service home folders) and to modify data (e.g., add or delete management accounts). This can lead to full compromise of the device, including privilege escalation to administrative control and potential data exfiltration or destruction [2]. The product is End of Life, meaning no security patches are expected [1].

Mitigation

The vendor has marked the actiNAS SL 2U-8 RDX as End of Life and directs customers to migrate to successor models from the DX6 family [1]. No patch will be released for firmware version 3.2.03-SP1. As a workaround, administrators should isolate the affected device from untrusted networks, restrict access to the web interface via firewall rules, and replace the device with a supported model as soon as possible [1].