cbcvebase.
CVE-2022-24637
published 2022-03-18

CVE-2022-24637: Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.13%
99.9th percentile
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

Affected

2 ranges
VendorProductVersion rangeFixed in
open-web-analyticsopen-web-analytics>= 0 < 1.7.41.7.4
openwebanalyticsopen_web_analytics< 1.7.41.7.4

Detection & IOCsextracted from sources · hover to see the quote

pathowa-data/caches/
path/owa-data/caches/<random>.php
path/var/www/html/owa/owa-data/caches/
url/index.php?owa_do=base.optionsGeneral
commandowa_action=base.optionsUpdate&owa_config[base.error_log_file]=owa-data/caches/<randstr>.php&owa_config[base.error_log_level]=2
cookieowa_p=<hash>; owa_u=admin
commandowa_action=base.usersChangePassword
  • Detect unauthenticated GET requests to OWA user cache PHP files at the pattern /owa-data/caches/<int>/owa_user/<md5hash>.php — these are iterated by the exploit to find user credential caches.
  • Detect POST requests to /index.php?owa_do=base.optionsGeneral containing owa_config[base.error_log_file] pointing to a .php file inside owa-data/caches/ — this is the log-poisoning step that writes the webshell.
  • Detect POST requests to /index.php?owa_do=base.optionsGeneral containing owa_config[shell] in the body — this is the step that writes the reverse-shell payload into the log file.
  • Detect GET requests to /owa-data/caches/*.php — execution of a dynamically created PHP file in the cache directory indicates successful webshell deployment.
  • The exploit iterates cache keys 0–99 and derives filenames via MD5 of 'user_id<N>' to locate credential cache files; alert on rapid sequential GET requests matching /owa-data/caches/[0-9]+/owa_user/[a-f0-9]{32}\.php from a single source IP.
  • The NVD description notes that cache files beginning with '<?php (single-quote prefix instead of proper PHP open tag) are not executed by PHP — detection of such files in owa-data/caches/ indicates exploitation of the cache-exposure vulnerability.
  • ·The shell filename is randomly generated (8 random chars + .php) per exploit run, so static filename-based detection will not work; pattern-based detection on the directory path is required.
  • ·The exploit hardcodes the log file path as /var/www/html/owa/owa-data/caches/<shell>.php; installations in non-default paths will use a different absolute path, but the relative web path owa-data/caches/ remains consistent.
  • ·The vulnerability affects OWA versions before 1.7.4; the exploit confirms the target by checking for 'version=1.7.3' in the main page response.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.