CVE-2022-2143
published 2022-07-22CVE-2022-2143: The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
59.18%
99.0th percentile
The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | iview | < 5.7.04.6469 | 5.7.04.6469 |
| advantech_iview | iview | >= All < 5_7_04_6469 | 5_7_04_6469 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the /NetworkServlet endpoint for the presence of the `backup_file` parameter containing mysqldump flags such as `-r` or `-w`, which are indicative of exploitation attempts. ↗
- →Alert on unauthenticated POST/GET requests to the NetworkServlet endpoint on Advantech iView instances, especially those originating from external/untrusted sources. ↗
- →Detect processes spawned as NT AUTHORITY\SYSTEM by the Advantech iView service, particularly child processes of mysqldump or web server processes, which may indicate successful RCE. ↗
- ·The existing sanitization only checks for SQL injection and directory traversal patterns, meaning standard WAF rules targeting those patterns alone will NOT block this exploit. Detection must also cover mysqldump flag injection (e.g., `-r`, `-w`) in the `backup_file` parameter. ↗
- ·This vulnerability affects TWO separate instances of command injection in the product, so patching or detection should account for both attack surfaces. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4w4w-jrgw-jr5h: The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code
ghsa_unreviewed·2022-07-23
CVE-2022-2143 [CRITICAL] CWE-77 GHSA-4w4w-jrgw-jr5h: The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code
The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.
CISA ICS
Advantech iView
cisa_ics·2022-06-28·CVSS 7.5
[HIGH] Advantech iView
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Advantech iView
Last RevisedJune 28, 2022
Alert CodeICSA-22-179-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Advantech
- Equipment: iView
- Vulnerabilities: SQL Injection, Missing Authentication for Critical Function, Relative Path Traversal, Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to read or modify sensitive data, disclose information, or execute arbitrary code.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168108/Advantech-iView-NetworkServlet-Command-Injection.htmlhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03http://packetstormsecurity.com/files/168108/Advantech-iView-NetworkServlet-Command-Injection.htmlhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03
2022-07-22
Published