CVE-2023-6151 Eskom CVE debrief

Who should care

Administrators, security teams, and operators running ESKOM E-Belediye/e-municipality module deployments before v105, especially where the module handles resident or municipal records.

Technical summary

The record describes an incorrect use of privileged APIs that can allow data provided by users to be collected or disclosed improperly. NVD maps the vulnerable range as cpe:2.3:a:eskom:e-belediye:* with versions before 105 affected, and the advisory references CWE-648. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates a network-reachable confidentiality issue without privilege requirements.

Defensive priority

High. This is a remotely reachable, unauthenticated confidentiality exposure affecting a municipal service module, so patching should be prioritized over routine maintenance windows.

Recommended defensive actions

• Upgrade E-Belediye/e-municipality module to v105 or later.
• Inventory deployments that use the eskom:e-belediye product CPE and verify no older versions remain in production.
• Review access logs and application telemetry for unexpected data access patterns around the affected module.
• If sensitive user data may have been exposed, follow incident response and notification procedures appropriate to your jurisdiction and data classification.

Evidence notes

Source corpus includes the official NVD record, the CVE record, and USOM/Siber Güvenlik advisory references. The CVE was published on 2023-11-28 and later modified on 2026-05-20; those dates are record metadata, not an exploit timeline. The provided data does not list a KEV entry or ransomware campaign use.

Official resources