ERPGo SaaS 3.9 CSV Injection Allows RCE via Vendor Fields
The National Vulnerability Database reports a critical CSV injection vulnerability, CVE-2023-54348, in ERPGo SaaS version 3.9. This flaw enables authenticated attackers to achieve arbitrary code execution by embedding malicious formula payloads into vendor name fields. The vulnerability is rated with a high CVSS score of 8.8.
Attackers can leverage this by inputting formulas such as =10+20+cmd|' /C calc'!A0 during vendor creation. When an unsuspecting user exports and subsequently opens the generated CSV file in a spreadsheet application, the injected formula executes, leading to arbitrary code execution on their system.
This isn’t a theoretical risk. CSV injection is a well-understood attack vector, and its impact scales with user permissions. For defenders, the immediate concern is the ease of exploitation by an authenticated user and the potential for lateral movement or data exfiltration once code execution is achieved on a workstation.
What This Means For You
- If your organization uses ERPGo SaaS 3.9, you need to assess your exposure to CVE-2023-54348. Audit your vendor creation forms for any suspicious entries and educate users about the risks of opening untrusted CSV files, especially those from internal systems that might be compromised.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2023-54348 - ERPGo SaaS CSV Injection via Vendor Name
title: CVE-2023-54348 - ERPGo SaaS CSV Injection via Vendor Name
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2023-54348 by identifying POST requests to the vendor creation endpoint containing common command injection patterns within the URI query parameters, indicative of CSV injection payloads targeting spreadsheet applications.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2023-54348/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/vendor/create'
cs-method:
- 'POST'
selection_payload:
cs-uri-query|contains:
- '=cmd|'
- '=EXEC'
- '=CALL'
condition: selection AND selection_payload
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2023-54348 | Code Injection | ERPGo SaaS version 3.9 |
| CVE-2023-54348 | Code Injection | CSV Injection via vendor name fields |
| CVE-2023-54348 | Code Injection | Malicious formula payload: =10+20+cmd|' /C calc'!A0 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 15:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
EFM ipTIME C200 Vulnerability: Remote Command Injection Exposed
CVE-2026-7833 — A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of...
IObit Advanced SystemCare 19: High-Severity Symlink Following Vulnerability (CVE-2026-7832)
CVE-2026-7832 — A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component...
CVE-2026-30246 — Fiber is a web framework for Go. In
CVE-2026-30246 — Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the...