CVE-2022-25226
published 2022-04-18CVE-2022-25226: ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID…
PriorityP182critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
10.87%
95.3th percentile
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybelsoft | thinvnc | — | — |
| cybelsoft | thinvnc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/cmd?cmd=connect
otherhttp.favicon.hash:-1414548363
othericon_hash="571240285"
- →HTTP GET request to /cmd?cmd=connect endpoint on ThinVNC server returns a 200 response containing both 'cmd":"connectStatus' and 'authStatus":1' in the body, indicating successful authentication bypass without credentials.
- →Identify exposed ThinVNC 1.0b1 instances via Shodan using favicon hash -1414548363 or FOFA using icon_hash 571240285.
- →Authentication bypass allows unauthenticated SID acquisition; subsequent keyboard/mouse event messages to the server can achieve code execution. ↗
- ·ThinVNC default port is 8080; detection should target this port unless the deployment uses a non-standard port. ↗
- ·The vulnerability is confirmed only for ThinVNC version 1.0b1 (CPE: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1); other versions may not be affected.
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ThinVNC - Authentication Bypass
nuclei·CVSS 10.0
CVE-2022-25226 [CRITICAL] ThinVNC - Authentication Bypass
ThinVNC - Authentication Bypass
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via a specific command, potentially leading to unauthorized access and code execution.
Template:
id: CVE-2022-25226
info:
name: ThinVNC - Authentication Bypass
author: ritikchaddha
severity: critical
description: |
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via a specific command, potentially leading to unauthorized access and code execution.
impact: |
An attacker can bypass authentication and gain unauthorized access to the ThinVNC server.
remediation: |
Apply the vendor-supplied patch or update to the latest version to mitigate the CVE-2022-25226 vulnerability.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:
No writeups or analysis indexed.
2022-04-18
Published