CVE-2023-43320 Proxmox VE - TOTP Brute Force

Executive Summary

A TOTP brute-force technique targeting Proxmox VE authentication flows was reported (EDB ID: 51763). The technique attempts to enumerate Time-based One-Time Passwords (TOTP) by programmatically submitting token values while leveraging a valid username and password to renew an authentication ticket. Successful enumeration could allow bypass of the second authentication factor and lead to administrative access.

This document provides detection, mitigation, and secure testing guidance only. The original exploit code is intentionally excluded due to misuse risk.

Associated CVE (reference): CVE-2023-43320
Reported EDB ID: 51763
Reported affected versions (example): Proxmox VE 5.4 - 7.4-1 (per public reporting)
Risk: High for administrative compromise if MFA is bypassed.

Technical Overview (High Level)

Attackers supply a known username and password and request an authentication ticket from the Proxmox API.
The attacker then iterates candidate 6-digit TOTP values against the TOTP challenge parameter in repeated authentication attempts.
Repeated, rapid attempts may succeed if rate-limiting, lockout, or other anti-automation controls are absent.

This advisory does not include exploit code or step-by-step instructions.

Indicators of Compromise and Detection

Authentication Ticket Anomalies
- Large numbers of /api2/extjs/access/ticket requests for the same account within short intervals.
- Repeated authentication failures for the same user originating from a single IP or a small set of IPs.
Rapid TOTP Attempts
- High frequency POST requests that include TOTP-related parameters (tfa-challenge, tfa, or totp labels).
Session and IP Correlation
- Correlate ticket issuance events with subsequent suspicious authentication attempts and record originating IPs.
WAF/IDS Alerts
- Configure signatures to detect repeated similar POST payloads and abnormal parameter patterns against authentication endpoints.
SIEM Metrics
- Alert on deviation from baseline authentication failure rates for administrative accounts.

Short-Term Mitigations

Restrict access to Proxmox management interfaces to trusted networks or administrative VPNs.
Enforce IP allowlists for management endpoints where operationally possible.
Implement strict rate-limiting on authentication endpoints.
Configure account lockout or exponential back-off after multiple failed TOTP attempts.
Monitor and alert on anomalous authentication patterns in real time.

Long-Term Remediation and Hardening

Apply vendor-provided updates and security patches as they are published for Proxmox VE.
Harden authentication flows by adding brute-force protections at the application layer: request throttling, per-account attempt counters, and global anti-automation controls.
Consider deploying risk-based adaptive authentication controls for administrative access.
Require administrative access via a jump host or bastion host and mandate MFA at the network perimeter (VPN with MFA).
Employ device-based or hardware-backed MFA options where feasible.
Maintain centralized logging of authentication events and conduct regular review cycles.

Recommended Secure Testing Procedures

Perform any testing only in an isolated, authorized laboratory environment. Obtain formal written authorization prior to testing production systems.
Use a dedicated test deployment that mirrors production configuration but contains no production data.
Focus tests on validating rate limits, lockout behavior, and detection rules rather than performing large-scale token enumeration.
Record all test traffic and outcomes. Use conservative throttle settings during tests to avoid accidental disruption.

References

Exploit-DB: EDB ID 51763 (public advisory reference)
Proxmox VE: https://www.proxmox.com/en/
CVE reference: CVE-2023-43320 (as reported in public sources)

Credits

Original reporting and PoC authors: Cory Cline, Gabe Rust.
Prepared by: LAYERWEB Security Team (defensive advisory).

NOTICE: This file omits exploit code. It is provided for defensive use only. Unauthorized exploitation of systems is illegal and unethical.

Executive Summary

This document provides detection, mitigation, and secure testing guidance only. The original exploit code is intentionally excluded due to misuse risk.

Technical Overview (High Level)

Attackers supply a known username and password and request an authentication ticket from the Proxmox API.

The attacker then iterates candidate 6-digit TOTP values against the TOTP challenge parameter in repeated authentication attempts.

Repeated, rapid attempts may succeed if rate-limiting, lockout, or other anti-automation controls are absent.

This advisory does not include exploit code or step-by-step instructions.

Indicators of Compromise and Detection

Authentication Ticket Anomalies

Large numbers of /api2/extjs/access/ticket requests for the same account within short intervals.
Repeated authentication failures for the same user originating from a single IP or a small set of IPs.

Rapid TOTP Attempts

High frequency POST requests that include TOTP-related parameters (tfa-challenge, tfa, or totp labels).

Session and IP Correlation

Correlate ticket issuance events with subsequent suspicious authentication attempts and record originating IPs.

WAF/IDS Alerts

Configure signatures to detect repeated similar POST payloads and abnormal parameter patterns against authentication endpoints.

SIEM Metrics

Alert on deviation from baseline authentication failure rates for administrative accounts.

Short-Term Mitigations

Restrict access to Proxmox management interfaces to trusted networks or administrative VPNs.

Enforce IP allowlists for management endpoints where operationally possible.

Implement strict rate-limiting on authentication endpoints.

Configure account lockout or exponential back-off after multiple failed TOTP attempts.

Monitor and alert on anomalous authentication patterns in real time.

Long-Term Remediation and Hardening

Apply vendor-provided updates and security patches as they are published for Proxmox VE.

Harden authentication flows by adding brute-force protections at the application layer: request throttling, per-account attempt counters, and global anti-automation controls.

Consider deploying risk-based adaptive authentication controls for administrative access.

Require administrative access via a jump host or bastion host and mandate MFA at the network perimeter (VPN with MFA).

Employ device-based or hardware-backed MFA options where feasible.

Maintain centralized logging of authentication events and conduct regular review cycles.

Recommended Secure Testing Procedures

Perform any testing only in an isolated, authorized laboratory environment. Obtain formal written authorization prior to testing production systems.

Use a dedicated test deployment that mirrors production configuration but contains no production data.

Focus tests on validating rate limits, lockout behavior, and detection rules rather than performing large-scale token enumeration.

Record all test traffic and outcomes. Use conservative throttle settings during tests to avoid accidental disruption.

CATEGORY	Vulnerabilities
PUBLISHED	January 31, 2024
AUTHOR	Cory Cline, Gabe Rust (original); Prepared by: LAYERWEB Security Team
READ TIME	3 MIN

CATEGORY	Vulnerabilities
PUBLISHED	January 31, 2024
AUTHOR	Cory Cline, Gabe Rust (original); Prepared by: LAYERWEB Security Team
READ TIME	3 MIN

CVE-2023-43320 Proxmox VE - TOTP Brute Force

VULNERABILITY INFO

TAGS

SHARE

Executive Summary

Technical Overview (High Level)

Indicators of Compromise and Detection

Short-Term Mitigations

Long-Term Remediation and Hardening

Recommended Secure Testing Procedures

References

Credits

RELATED VULNERABILITIES

CVE-2023-44487 - HTTP/2 Rapid Reset Denial of Service

CVE-2025-41228 - VMware vSphere Client 8.0.3.0 XSS

CVE-2023-6553 - WordPress Backup Migration Plugin Remote Code Execution

Need Professional Security Audit?

CVE-2023-43320 Proxmox VE - TOTP Brute Force

VULNERABILITY INFO

TAGS

SHARE

Executive Summary

Technical Overview (High Level)

Indicators of Compromise and Detection

Short-Term Mitigations

Long-Term Remediation and Hardening

Recommended Secure Testing Procedures

References

Credits

RELATED VULNERABILITIES

CVE-2023-44487 - HTTP/2 Rapid Reset Denial of Service

CVE-2025-41228 - VMware vSphere Client 8.0.3.0 XSS

CVE-2023-6553 - WordPress Backup Migration Plugin Remote Code Execution

Need Professional Security Audit?