PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-50781 Redhat CVE debrief

CVE-2023-50781 is a high-severity m2crypto issue that may allow a remote attacker to decrypt captured TLS messages on servers that use RSA key exchanges, creating a confidentiality risk for sensitive data. NVD rates the issue 7.5 (High) with network attackability, no privileges required, and no user interaction, and classifies it as CWE-203.

Vendor
Redhat
Product
CVE-2023-50781
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-02-05
Original CVE updated
2026-05-12
Advisory published
2024-02-05
Advisory updated
2026-05-12

Who should care

Security teams and administrators running TLS services that depend on m2crypto, especially internet-facing systems and environments handling confidential data. The NVD metadata also lists Red Hat Enterprise Linux 8 and 9 and Red Hat Update Infrastructure 4 as affected CPEs, so downstream package consumers should verify their exposure.

Technical summary

The NVD record describes a flaw in m2crypto that can let a remote attacker decrypt captured messages in TLS servers using RSA key exchanges. The recorded CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable issue with confidentiality impact only. NVD lists the weakness as CWE-203 and includes affected CPEs for m2crypto_project:m2crypto, Red Hat Enterprise Linux 8/9, and Red Hat Update Infrastructure 4.

Defensive priority

High: prioritize any exposed TLS service that uses m2crypto, especially if RSA key exchange is still enabled or cannot be quickly retired.

Recommended defensive actions

  • Inventory applications and appliances that bundle or depend on m2crypto, then map them to any TLS endpoints exposed to untrusted networks.
  • Check whether affected TLS servers use RSA key exchanges and plan to reduce or remove that exposure where supported by the application and platform.
  • Apply vendor and downstream package updates tied to CVE-2023-50781 as soon as they are available in your environment.
  • Review whether sensitive traffic protected by impacted TLS services could be exposed if captured, and adjust risk handling accordingly.
  • Track the linked Red Hat advisory and issue tracker for remediation status and deployment guidance before and after patching.

Evidence notes

The CVE record was published on 2024-02-05 and later modified on 2026-05-12. NVD states that the flaw is in m2crypto and may allow a remote attacker to decrypt captured messages in TLS servers using RSA key exchanges. NVD also records CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, weakness CWE-203, and affected CPEs for m2crypto_project:m2crypto, Red Hat Enterprise Linux 8/9, and Red Hat Update Infrastructure 4. The NVD metadata references a Red Hat security advisory, Red Hat Bugzilla issue 2254426, and a Siemens product certification notice; this debrief relies only on the supplied metadata and reference listings.

Official resources

CVE published on 2024-02-05 and last modified on 2026-05-12 in the supplied record. Timing context in this debrief uses the CVE publication date, not the generation date.