CVE-2023-5046 Biltay Technology CVE debrief

Who should care

Administrators and security teams responsible for Biltay Procost installations, especially internet-facing or database-backed deployments, should prioritize this issue because the vulnerability is remotely exploitable and can impact confidentiality, integrity, and availability.

Technical summary

NVD lists CVE-2023-5046 as an SQL injection flaw in Biltay Procost with vulnerable versions before 1390. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and the supplied description also notes possible command line execution through SQL injection. USOM references the weakness as CWE-89.

Defensive priority

Immediate

Recommended defensive actions

• Identify all Biltay Procost deployments and confirm whether any instance is running a version before 1390.
• Apply the vendor's fixed release or otherwise move to a non-affected version confirmed by official product guidance.
• Reduce exposure of affected systems until remediated, especially where the application is reachable from untrusted networks.
• Review application, database, and host logs for evidence of SQL injection abuse or unexpected command execution.
• Use least-privilege database credentials and other compensating controls where immediate upgrading is not possible.

Evidence notes

The corpus contains an official NVD/CVE record, the CVE publication date of 2023-10-12, and a later modified timestamp of 2026-05-21. NVD provides the vulnerable CPE criteria for cpe:2.3:a:biltay:procost with an upper bound excluding 1390 and a CVSS 3.1 vector of 9.8. The USOM third-party advisory maps the weakness to CWE-89. No CISA KEV entry or ransomware-campaign linkage is present in the supplied sources.

Official resources