cbcvebase.
CVE-2022-0557
published 2022-02-11

CVE-2022-0557: OS Command Injection in Packagist microweber/microweber prior to 1.2.11.

PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
51.19%
98.8th percentile
OS Command Injection in Packagist microweber/microweber prior to 1.2.11.

Affected

3 ranges
VendorProductVersion rangeFixed in
microwebermicroweber< 1.2.111.2.11
microwebermicroweber>= 0 < 1.2.111.2.11
microwebermicroweber_microweber>= unspecified < 1.2.111.2.11

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://localhost/userfiles/media/default/shell.php7
path/userfiles/media/default/shell.php7
filenameshell.php7
  • Attacker uploads a crafted PHP7 file (e.g. .php7 extension) disguised as a profile image via the User Section Add/Modify Users profile image upload functionality.
  • Monitor for file writes with .php7 extension under the /userfiles/media/ directory tree, which indicates a successful malicious upload.
  • Exploit requires authenticated access; monitor for authenticated POST requests to the user profile image upload endpoint followed by HTTP GET requests to /userfiles/media/default/*.php7.
  • ·Exploit targets Microweber version 1.2.11 specifically; the CVE covers all versions prior to 1.2.11, meaning the vulnerable upload behaviour exists across the broader pre-1.2.11 range as well.
  • ·Exploitation requires valid authenticated credentials (admin-level), so credential compromise or weak credentials are a prerequisite attack vector.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.