CVE-2023-27486

Name: CVE-2023-27486
Creator: NVD / NIST
Published: 2023-03-08T19:15:11.073+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 0.85%

Last modified Jun 17, 2026

CVE-2023-27486 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. xCAT is a toolkit for deployment and administration of computer clusters. In versions prior to 2.16.5 if zones are configured as a mechanism to secure clusters in XCAT, it is possible for a local root user from one node to obtain credentials to SSH to any node in any zone, except the management node of the default zone. EPSS estimates a 0.85% chance of exploitation in the next 30 days.

Description

xCAT is a toolkit for deployment and administration of computer clusters. In versions prior to 2.16.5 if zones are configured as a mechanism to secure clusters in XCAT, it is possible for a local root user from one node to obtain credentials to SSH to any node in any zone, except the management node of the default zone. XCAT zones are not enabled by default. Only users that use the optional zone feature are impacted. All versions of xCAT prior to xCAT 2.16.5 are vulnerable. This problem has been fixed in xCAT 2.16.5. Users making use of zones should upgrade to 2.16.5. Users unable to upgrade may mitigate the issue by disabling zones or patching the management node with the fix contained in commit `85149c37f49`.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.85%

53.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-863

Affected Software

Vendor	Product	Versions
Xcat Project	Xcat	< 2.16.5

References

https://github.com/xcat2/xcat-core/issues/7246Exploit, Issue Tracking
https://github.com/xcat2/xcat-core/pull/7247Issue Tracking, Patch
https://github.com/xcat2/xcat-core/pull/7247/commits/85149c37f49dbca7bd85f1f586960315604fc024Patch
https://github.com/xcat2/xcat-core/security/advisories/GHSA-hpxg-7428-6jvvVendor Advisory
https://github.com/xcat2/xcat-core/issues/7246Exploit, Issue Tracking
https://github.com/xcat2/xcat-core/pull/7247Issue Tracking, Patch
https://github.com/xcat2/xcat-core/pull/7247/commits/85149c37f49dbca7bd85f1f586960315604fc024Patch
https://github.com/xcat2/xcat-core/security/advisories/GHSA-hpxg-7428-6jvvVendor Advisory

Timeline

Published: Mar 8, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-27486?

How severe is CVE-2023-27486?

CVE-2023-27486 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.85% probability of exploitation in the next 30 days.

How do I fix CVE-2023-27486?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-27486?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST