cbcvebase.
CVE-2022-22831
published 2022-02-06

CVE-2022-22831: An issue was discovered in Servisnet Tessa 0.0.2. An attacker can add a new sysadmin user via a manipulation of the Authorization HTTP header.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.44%
95.5th percentile
An issue was discovered in Servisnet Tessa 0.0.2. An attacker can add a new sysadmin user via a manipulation of the Authorization HTTP header.

Affected

1 ranges
VendorProductVersion rangeFixed in
servisnettessa

Detection & IOCsextracted from sources · hover to see the quote

path/js/app.js
path/users
  • Detect unauthenticated GET requests to /js/app.js followed by a POST to the /users endpoint — this is the two-step exploitation pattern used to extract the hardcoded Authorization token and then create a rogue sysadmin account.
  • Alert on POST requests to the /users endpoint containing the hardcoded encrypted password value 'hxZ8I33nmy9PZNhYhms/Dg==' in the JSON body, which corresponds to the static plaintext password '1111111111' used by the exploit.
  • Flag POST requests to /users with a JSON body containing 'role_name': 'Sistem Admin' and 'rolelevel': 3 and 'role_id': 1, indicating an attempt to create a highest-privilege sysadmin account.
  • Monitor for the Authorization HTTP header value sourced directly from app.js (matching a Basic token pattern) being replayed in POST requests — the exploit extracts this hardcoded default token from the publicly accessible frontend JavaScript file.
  • ·The hardcoded Authorization token is embedded in the publicly accessible app.js file. The exact token value is dynamically parsed at exploit runtime from the target's own source code, so its specific string will vary per deployment but will always match the pattern 'default.a.defaults.headers.post["Authorization"]'.
  • ·The exploit also exposes MQTT (Message Queuing Telemetry Transport) connection credentials via the same auth bypass, which may represent an additional lateral movement risk beyond the sysadmin account creation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.