CVE-2022-0073
published 2022-10-27CVE-2022-0073: Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This…
PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
8.66%
94.4th percentile
Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| litespeed_technologies | litespeed_web_server | >= 1.7.0 < 1.7.16.1 | 1.7.16.1 |
| litespeed_technologies | openlitespeed_web_server | >= 1.7.0 < 1.7.16.1 | 1.7.16.1 |
| litespeedtech | openlitespeed | 1.7.0 – 1.7.16.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
Palo Alto Networks Next-Generation Firewall Advanced Threat Prevention signature 93190
snort↗
Palo Alto Networks Next-Generation Firewall Advanced Threat Prevention signature 93191
- →Monitor the OpenLiteSpeed/LiteSpeed admin dashboard 'External App Command' field for command injection attempts — this is the vulnerable input vector for CVE-2022-0073. ↗
- →Alert on use of download utilities (curl, fetch, wget) invoked from the LiteSpeed server process context, as these were specifically added to the post-patch mitigation regex to block external script downloads. ↗
- →Detect file writes to /usr/local/bin by the 'nobody' user, which is the privilege escalation indicator for the chained CVE-2022-0074 exploit following initial RCE. ↗
- →Monitor for processes spawned as 'nobody' that subsequently execute binaries from /usr/local/bin, indicating potential binary hijacking via PATH manipulation. ↗
- →Flag OpenLiteSpeed/LiteSpeed versions 1.5.11 through 1.7.16 (open source) or 5.4.6 through 6.0.11 (enterprise) in asset inventory as vulnerable to this RCE chain. ↗
- ·The privilege escalation (CVE-2022-0074) via PATH hijacking is specific to the OpenLiteSpeed Docker container configuration where /usr/local/bin is writable by 'nobody' by default — bare-metal or custom deployments may not be affected. ↗
- ·Full privileged RCE requires chaining CVE-2022-0073 (command injection) with CVE-2022-0074 (privilege escalation); the initial command injection stage also requires valid admin dashboard credentials. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p42f-x6hp-xv84: Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Command Injection
ghsa_unreviewed·2022-10-28
CVE-2022-0073 [HIGH] CWE-20 GHSA-p42f-x6hp-xv84: Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Command Injection
Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.
VulnCheck
LiteSpeed Technologies openlitespeed Improper Input Validation
vulncheck·2022·CVSS 8.8
CVE-2022-0073 [HIGH] LiteSpeed Technologies openlitespeed Improper Input Validation
LiteSpeed Technologies openlitespeed Improper Input Validation
Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.
Affected: LiteSpeed Technologies openlitespeed
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.sentinelone.com/blog/dragon-raas-pro-russian-hacktivist-group-aims-to-build-on-the-five-families-cybercrime-reputation/
No detection rules found.
No public exploits indexed.
Sentinelone
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
blogs_sentinelone·2025-03-19
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
Dragon RaaS is a ransomware group that walks the line between hacktivism and cybercrime. Also known as DragonRansom or Dragon Team, it emerged in July 2024 as an offshoot of the Stormous group, itself part of a larger cybercrime syndicate known as “The Five Families,” which includes ThreatSec, GhostSec , Blackforums, and SiegedSec .
While Dragon RaaS markets itself as a sophisticated Ransomware-as-a-Service (RaaS) operation, its attacks are often defacements and opportunistic rather than large-scale ransomware extortion. Even so, it continues to find victims—typically smaller organizations with weak security postures that are often compromised through misconfigurations, brute-force attacks and stolen credentials. The group primarily targets organizations in the United States, Israel, Unit
Sentinelone
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
blogs_sentinelone·2025-03-19
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
Dragon RaaS is a ransomware group that walks the line between hacktivism and cybercrime. Also known as DragonRansom or Dragon Team, it emerged in July 2024 as an offshoot of the Stormous group, itself part of a larger cybercrime syndicate known as “The Five Families,” which includes ThreatSec, GhostSec, Blackforums, and SiegedSec.
While Dragon RaaS markets itself as a sophisticated Ransomware-as-a-Service (RaaS) operation, its attacks are often defacements and opportunistic rather than large-scale ransomware extortion. Even so, it continues to find victims—typically smaller organizations with weak security postures that are often compromised through misconfigurations, brute-force attacks and stolen credentials. The group primarily targets organizations in the United States, Israel, United
Unit42
Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
blogs_unit42·2022-11-10·CVSS 5.8
CVE-2022-0072 [MEDIUM] Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
Artur Avetisyan
Published: November 10, 2022
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
CVE-2022-0072
CVE-2022-0073
CVE-2022-0074
Exploit
Openlitespeed
Privilege escalation
Remote Code Execution
Web server
## Executive Summary
The Unit 42 research team has researched and discovered three different vulnerabilities in the open source OpenLiteSpeed Web Server . These vulnerabilities also affect the enterprise version, LiteSpeed Web Server . By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution. The vulnerabilities discovered include:
Re
Unit42
Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
blogs_unit42·2022-11-10·CVSS 5.8
CVE-2022-0073 [MEDIUM] Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
## Executive Summary
The Unit 42 research team has researched and discovered three different vulnerabilities in the open source OpenLiteSpeed Web Server. These vulnerabilities also affect the enterprise version, LiteSpeed Web Server. By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution. The vulnerabilities discovered include:
1. Remote Code Execution (CVE-2022-0073) rated High severity (CVSS 8.8)
2. Privilege Escalation (CVE-2022-0074) rated High severity (CVSS 8.8)
3. Directory Traversal (CVE-2022-0072) rated Medium severity (CVSS 5.8)
OpenLiteSpeed is the Open Source edition of LiteSpeed Web Server Enterprise, which is developed and maintained by LiteSpeed Technologies. LiteSpeed Web Server is ranke
https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565
2022-10-27
Published
Exploited in the wild