cbcvebase.
CVE-2022-25322
published 2022-02-18

CVE-2022-25322: ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.56%
94.4th percentile
ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
zerofweb_server

Detection & IOCsextracted from sources · hover to see the quote

url/HandleEvent
path/HandleEvent
commandAjax=1&IsEvent=1&Obj=O33&Evt=keypress&this=O33&char=%0D&"_fp_=_S_ID={{s_id}}&O33=%020%02%02'&_seq_=2&_uo_=O0
otherServer: ZEROF Web Server
  • Fingerprint ZEROF Web Server by checking the HTTP response body for '_S_ID' and 'ZEROF Web Server' strings with HTTP 200 status before attempting exploitation.
  • Extract the session ID token from the response body using the regex pattern '_S_ID="_S_ID=(.*?)";' and use it in the POST payload to /HandleEvent.
  • SQL injection success can be confirmed by detecting the string 'You have an error in your SQL syntax' in the HTTP response body after sending the crafted POST to /HandleEvent.
  • Confirm the target is a ZEROF Web Server by checking for 'ZEROF Web Server' in the HTTP response headers.
  • Use Shodan query 'Server: ZEROF Web Server' to identify internet-exposed ZEROF Web Server 2.0 instances potentially vulnerable to CVE-2022-25322.
  • The exploit POST request must use Content-Type: application/x-www-form-urlencoded and include the SQL injection payload in the O33 parameter (value containing a single quote).
  • ·The exploit requires a two-step flow: first GET / to fingerprint the server and extract the dynamic session ID (_S_ID), then POST /HandleEvent with the session ID embedded in the payload. Static replay without a valid session ID will fail.
  • ·The POST request to /HandleEvent must be sent with the 'unsafe: true' flag, indicating it contains raw/non-standard characters that standard HTTP clients may reject or encode.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.