CVE-2022-22833
published 2022-02-06CVE-2022-22833: An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request.
PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.48%
95.5th percentile
An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servisnet | tessa | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /js/app.js — this file exposes MQTT credentials, Authorization header defaults, baseURL, and session logic used for privilege escalation. ↗
- →Look for Authorization headers of the form 'Basic <base64(username:usersessionid)>' — the exploit constructs tokens by base64-encoding username and active sessionId extracted from the API, not a password. ↗
- →Monitor POST requests to the users endpoint with JSON body containing role_id:1 and role_name 'Sistem Admin' — this is the payload used to add a rogue sysadmin account. ↗
- →Detect the hardcoded encrypted password value 'hxZ8I33nmy9PZNhYhms/Dg==' (plaintext: 1111111111) in POST bodies to the users API — this is the fixed password used when creating the rogue admin user. ↗
- →Alert on responses from /js/app.js containing the string 'connectionMQTT' — this indicates MQTT broker credentials (host, port, clientId, username, password) are exposed in the JavaScript file. ↗
- →Alert on responses from /js/app.js containing 'default.a.defaults.headers.post' — this string indicates the hardcoded Authorization header value is present and the target is vulnerable. ↗
- →Alert on responses from /js/app.js containing 'user.usersessionid' — the exploit uses this as its primary vulnerability check indicator. ↗
- →Monitor POST requests to the signin endpoint (e.g. /api/auth/signin) with JSON credentials followed immediately by enumeration GET requests to /users/<id> in sequence — this is the exploit's login-then-enumerate-admin pattern. ↗
- ·The Metasploit module for CVE-2022-22833 (MQTT Credentials Dump) targets port 443 with SSL by default; defenders should also check for the same exposure on non-standard ports if the application is deployed differently. ↗
- ·The privilege escalation exploit (CVE-2022-22832, exploit-db 50712) requires an active admin session to be present — the rogue admin user can only be added if an admin is currently logged in and their sessionId is live. ↗
- ·The MQTT credential dump is fully unauthenticated — no prior credentials are needed to retrieve MQTT broker connection details from /js/app.js. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Servisnet Tessa - Privilege Escalation (Metasploit)
exploitdb·2022-02-04·CVSS 9.8
CVE-2022-22833 [CRITICAL] Servisnet Tessa - Privilege Escalation (Metasploit)
Servisnet Tessa - Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Servisnet Tessa - Privilege Escalation (Metasploit)',
'Description' => %q(
This module exploits privilege escalation in Servisnet Tessa, triggered by add new sysadmin user with any user authorization .
An API request to "/data-service/users/[userid]" with any low-authority user returns other users' information in response.
The encrypted password information is included here, but privilage escelation is possible with the active sessionid value.
var token = Buffer.from(`${user.username}:${user.usersessionid}`, 'utf8').toString('base64');
The logic required for the Authoriz
Exploit-DB
Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
exploitdb·2022-02-04·CVSS 7.5
CVE-2022-22832 [HIGH] Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/mqtt'
class MetasploitModule 'Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)',
'Description' => %q(
This module exploits MQTT creds dump vulnerability in Servisnet Tessa.
The app.js is publicly available which acts as the backend of the application.
By exposing a default value for the "Authorization" HTTP header,
it is possible to make unauthenticated requests to some areas of the application.
Even MQTT(Message Queuing Telemetry Transport) protocol connectio
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165867/Servisnet-Tessa-MQTT-Credential-Disclosure.htmlhttp://www.servisnet.com.tr/en/page/productshttps://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.htmlhttps://www.exploit-db.com/exploits/50713http://packetstormsecurity.com/files/165867/Servisnet-Tessa-MQTT-Credential-Disclosure.htmlhttp://www.servisnet.com.tr/en/page/productshttps://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.htmlhttps://www.exploit-db.com/exploits/50713
2022-02-06
Published