CVE-2023-21932: Critical Unauthenticated RCE Vulnerability

CVE-2023-21932: Critical Unauthenticated RCE Vulnerability in Oracle Hospitality OPERA 5 Property Services

According to Oracle��s vulnerability description, CVE-2023-21932 is a difficult- to- exploit vulnerability, requiring network access via HTTP and high privileges. Find Arctic Wolf’s recommendations.

3 May, 2023
by Steven Campbell

Oracle recently released their Critical Patch Update addressing 433 vulnerabilities across their products, including a vulnerability in the Oracle Hospitality OPERA 5 Property Services product. According to Oracle��s vulnerability description, CVE-2023-21932 is a difficult– to– exploit vulnerability, requiring network access via HTTP and high privileges.

However, on 30 April 2023, security researchers from Assetnote published a blog disagreeing with Oracle��s description and assigned severity rating, stating the vulnerability could result in pre-authentication RCE. The proof-of-concept blog demonstrated how the security researchers were able to achieve pre-authenticated RCE.??

The vulnerability is caused by an order of operations bug where the product sanitises an encrypted payload and then decrypts it. Due to this, a threat actor could add any payload without it being sanitised. By gathering information publicly available, such as the JNDI connection name, recreating Oracle��s encryption routine and repurposing it, a threat actor could achieve pre-authentication RCE. The security researchers include the Java file used to encrypt arbitrary strings in their write up, making the recreation and repurposing of Oracle��s encryption routine trivial. The security researchers were able to successfully exploit this vulnerability prior to authentication and upload a CGI web shell to the local file system. ?

Based on the proof– of– concept blog and the included Java file used to encrypt arbitrary strings, we assess threat actors will develop a working proof– of– concept exploit and begin exploiting this vulnerability in the near term against public-facing applications.??

Product?	Vulnerable Version? ? ? ? ? ? ?
Oracle Hospitality OPERA 5 Property Services?	Version 5.6?

Recommendation for CVE-2023-21932

Apply the Latest Security Patch for OPERA 5 Property Services?

Arctic Wolf strongly recommends applying the latest security patch to prevent potential exploitation of this vulnerability. The security patch is behind ��My Oracle Support�� login here: ?

Please follow your organisations patching and testing guidelines to avoid operational impact.?

? 2026 ��. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Customer Portal Policy	Accessibility Statement	Sustainability Statement	Information Security	Cookies Settings

��

��

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Expertise by Industry

Resource Centre

Trending Resources

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Security Bulletins

Microsoft Patch Tuesday: April 2026?

CVE-2026-35616: Fortinet Releases Hotfix for Critical Exploited Vulnerability in FortiClient EMS

CVE-2026-2699 & CVE-2026-2701: Progress ShareFile Storage Zones Controller Pre-Auth RCE Chain

Company

Careers

Press