PatchSiren cyber security CVE debrief
CVE-2023-6150 Eskom CVE debrief
CVE-2023-6150 is a high-severity issue in ESKOM’s E-Belediye / e-municipality module affecting versions before v105. The NVD record and USOM advisory describe an incorrect use of privileged APIs weakness that can expose user-provided data. The published CVSS 3.1 vector indicates the issue is network reachable, requires no privileges or user interaction, and has a high confidentiality impact.
- Vendor
- Eskom
- Product
- E-Belediye
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-11-28
- Original CVE updated
- 2026-05-20
- Advisory published
- 2023-11-28
- Advisory updated
- 2026-05-20
Who should care
Organizations running ESKOM E-Belediye or the e-municipality module, especially any deployment that may be on a version earlier than v105. Security and operations teams should also care if the module is exposed to untrusted networks or integrated into systems that handle sensitive user-submitted data.
Technical summary
The official vulnerability data maps CVE-2023-6150 to cpe:2.3:a:eskom:e-belediye with affected versions ending before 105. USOM identifies CWE-648 (Incorrect Use of Privileged APIs). The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates remote, unauthenticated access with high confidentiality impact and no listed integrity or availability impact.
Defensive priority
High. The record shows a straightforward network-reachable exposure with no authentication or user interaction required and a high confidentiality rating. Systems on affected versions should be prioritized for upgrade and exposure review.
Recommended defensive actions
- Upgrade E-Belediye / e-municipality module instances to version 105 or later, since the vulnerable range ends before 105.
- Inventory all deployments and confirm whether any instance uses product naming variations such as ESKOM Computer e-municipality or E-Belediye.
- Restrict network access to the module and its APIs until affected systems are confirmed patched.
- Review access logs and API activity for unusual or unexpected data retrieval patterns.
- Apply least-privilege and authorization checks around any privileged API paths used by the module.
- Track the NVD and USOM advisories for any additional vendor guidance or remediation notes.
Evidence notes
This debrief is based on the supplied NVD record and USOM advisory references only. The NVD data lists the vulnerable CPE as eskom:e-belediye with versionEndExcluding 105, CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and the source weakness mapping CWE-648 from the USOM reference. The CVE was published on 2023-11-28 and last modified on 2026-05-20.
Official resources
-
CVE-2023-6150 CVE record
CVE.org
-
CVE-2023-6150 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed in the NVD record on 2023-11-28 and last modified on 2026-05-20. No CISA KEV listing was supplied for this CVE.