cbcvebase.
CVE-2022-0073
published 2022-10-27

CVE-2022-0073: Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This…

PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
8.66%
94.4th percentile
Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
litespeed_technologieslitespeed_web_server>= 1.7.0 < 1.7.16.11.7.16.1
litespeed_technologiesopenlitespeed_web_server>= 1.7.0 < 1.7.16.11.7.16.1
litespeedtechopenlitespeed1.7.0 – 1.7.16.1

Detection & IOCsextracted from sources · hover to see the quote

path/usr/local/bin
filenameentrypoint.sh
snort
Palo Alto Networks Next-Generation Firewall Advanced Threat Prevention signature 93190
snort
Palo Alto Networks Next-Generation Firewall Advanced Threat Prevention signature 93191
  • Monitor the OpenLiteSpeed/LiteSpeed admin dashboard 'External App Command' field for command injection attempts — this is the vulnerable input vector for CVE-2022-0073.
  • Alert on use of download utilities (curl, fetch, wget) invoked from the LiteSpeed server process context, as these were specifically added to the post-patch mitigation regex to block external script downloads.
  • Detect file writes to /usr/local/bin by the 'nobody' user, which is the privilege escalation indicator for the chained CVE-2022-0074 exploit following initial RCE.
  • Monitor for processes spawned as 'nobody' that subsequently execute binaries from /usr/local/bin, indicating potential binary hijacking via PATH manipulation.
  • Flag OpenLiteSpeed/LiteSpeed versions 1.5.11 through 1.7.16 (open source) or 5.4.6 through 6.0.11 (enterprise) in asset inventory as vulnerable to this RCE chain.
  • ·The privilege escalation (CVE-2022-0074) via PATH hijacking is specific to the OpenLiteSpeed Docker container configuration where /usr/local/bin is writable by 'nobody' by default — bare-metal or custom deployments may not be affected.
  • ·Full privileged RCE requires chaining CVE-2022-0073 (command injection) with CVE-2022-0074 (privilege escalation); the initial command injection stage also requires valid admin dashboard credentials.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.