CVE-2022-25322
published 2022-02-18CVE-2022-25322: ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.56%
94.4th percentile
ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zerof | web_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandAjax=1&IsEvent=1&Obj=O33&Evt=keypress&this=O33&char=%0D&"_fp_=_S_ID={{s_id}}&O33=%020%02%02'&_seq_=2&_uo_=O0
otherServer: ZEROF Web Server
- →Fingerprint ZEROF Web Server by checking the HTTP response body for '_S_ID' and 'ZEROF Web Server' strings with HTTP 200 status before attempting exploitation.
- →Extract the session ID token from the response body using the regex pattern '_S_ID="_S_ID=(.*?)";' and use it in the POST payload to /HandleEvent.
- →SQL injection success can be confirmed by detecting the string 'You have an error in your SQL syntax' in the HTTP response body after sending the crafted POST to /HandleEvent.
- →Confirm the target is a ZEROF Web Server by checking for 'ZEROF Web Server' in the HTTP response headers.
- →Use Shodan query 'Server: ZEROF Web Server' to identify internet-exposed ZEROF Web Server 2.0 instances potentially vulnerable to CVE-2022-25322.
- →The exploit POST request must use Content-Type: application/x-www-form-urlencoded and include the SQL injection payload in the O33 parameter (value containing a single quote).
- ·The exploit requires a two-step flow: first GET / to fingerprint the server and extract the dynamic session ID (_S_ID), then POST /HandleEvent with the session ID embedded in the payload. Static replay without a valid session ID will fail.
- ·The POST request to /HandleEvent must be sent with the 'unsafe: true' flag, indicating it contains raw/non-standard characters that standard HTTP clients may reject or encode.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qm9c-x9hh-pr9m: ZEROF Web Server 2
ghsa_unreviewed·2022-02-19
CVE-2022-25322 [CRITICAL] CWE-89 GHSA-qm9c-x9hh-pr9m: ZEROF Web Server 2
ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.
VulnCheck
zerof web_server Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-25322 [CRITICAL] zerof web_server Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
zerof web_server Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.
Affected: zerof web_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-25322; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerability=cve-2022-25322; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-27&host_type=src&vulnerability=cve-2022-25322; https://dashboard.shadowserver.
No detection rules found.
Nuclei
ZEROF Web Server 2.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-25322 [CRITICAL] ZEROF Web Server 2.0 - SQL Injection
ZEROF Web Server 2.0 - SQL Injection
ZEROF Web Server 2.0 allows SQL Injection via the /HandleEvent endpoint. Attackers can exploit this vulnerability by manipulating the request parameters to execute arbitrary SQL queries.
Template:
id: CVE-2022-25322
info:
name: ZEROF Web Server 2.0 - SQL Injection
author: daffainfo
severity: critical
description: |
ZEROF Web Server 2.0 allows SQL Injection via the /HandleEvent endpoint. Attackers can exploit this vulnerability by manipulating the request parameters to execute arbitrary SQL queries.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
remediation: |
Apply the latest security patches or updates p
No writeups or analysis indexed.
2022-02-18
Published
Exploited in the wild