Remote code execution in a billion-dollar publicly traded company

There are 4 things that need to happen in order to find CVE-2023-22621 in the wild: You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least 4.5.5 and below. No other hacker had somehow seen any of the three aforementioned scenarios first. The stars have aligned in my favor, and with this CVE, I managed to fully take over one of the websites of a billion-dollar company listed on the New York Stock Exchange.

Hello World

This is a new space for me to write about tech. Thanks to GitHub Pages and Hugo I’m able set to this up without spending a single dollar.