cbcvebase.
CVE-2022-23854
published 2022-12-23

CVE-2022-23854: AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network…

PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
45.96%
98.7th percentile
AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.

Affected

3 ranges
VendorProductVersion rangeFixed in
avevaintouch_access_anywhere< 20202020
avevaintouch_access_anywhere<= 2020 R2
avevaintouch_access_anywhere

Detection & IOCsextracted from sources · hover to see the quote

url/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini
path/AccessAnywhere/
otherEricomSecureGateway/8.4.0.26844.*
sigma
shodan-query: http.html:"InTouch Access Anywhere"
  • HTTP GET requests to /AccessAnywhere/ containing double-percent-encoded path traversal sequences (%252e%252e%255c) targeting Windows files (e.g., windows%255cwin.ini) are indicative of CVE-2022-23854 exploitation attempts.
  • Successful exploitation returns HTTP 200 with Content-Type 'text/ini' or 'application/octet-stream' and body containing 'for 16-bit app support' and 'extensions', indicating win.ini was read from the server.
  • The vulnerability is unauthenticated and exploitable remotely with low attack complexity; monitor for unauthenticated access to the /AccessAnywhere/ endpoint with encoded dot-dot-backslash sequences in the URI.
  • Identify exposed AVEVA InTouch Access Anywhere instances via Shodan (http.html:"InTouch Access Anywhere") or FOFA (body="intouch access anywhere") to assess attack surface.
  • ·The path traversal payload uses double percent-encoding (%252e%252e%255c) to bypass input validation; detection rules must account for this double-encoded form rather than standard ../ sequences.
  • ·Affected versions are InTouch Access Anywhere 2020 R2 and older (CVE-2022-23854 specific); the CISA Update A advisory expanded affected scope to InTouch Access Anywhere 2023 and prior for related CVEs, but CVE-2022-23854 path traversal applies to 2020 R2 and older.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.