cbcvebase.
CVE-2022-26352
published 2022-07-17

CVE-2022-26352: An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
91.50%
99.8th percentile
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
dotcmsdotcms3.0 – 22.02

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/content/ HTTP/1.1
path/api/content/
path../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/
filename*.jsp (uploaded via directory traversal to webapps/ROOT/)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1"; flow:established,to_server; http.request_line; content:"POST|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036457; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_04;)
bytes
filename=|22 2e 2e 2f| (in HTTP request body)
  • Detect multipart POST requests to /api/content/ where the Content-Disposition filename begins with directory traversal sequences (e.g., '../') — the core exploit primitive for CVE-2022-26352.
  • Alert on HTTP POST to /api/content/ with Content-Type multipart/form-data AND a request body containing filename="../ (hex: 22 2e 2e 2f) — as captured in Emerging Threats SID 2036457.
  • Monitor for .jsp files appearing in the dotCMS webapps/ROOT directory, especially with random or unexpected names — indicative of successful exploitation and webshell placement.
  • CVE-2022-26352 is exploitable without authentication if anonymous content creation is enabled; prioritize detection on unauthenticated POST requests to /api/content/.
  • This vulnerability is actively exploited by HolyGhost (DEV-0530) ransomware operators as an initial access vector; correlate dotCMS exploitation attempts with subsequent lateral movement, credential theft, or ransomware staging activity.
  • Use Shodan/FOFA/Google dorks to identify exposed dotCMS instances as potential targets: shodan-query 'http.title:"dotcms"', fofa-query 'title="dotcms"', google-query 'intitle:"dotcms"'.
  • ·Exploitation only succeeds without authentication if the dotCMS instance has anonymous content creation enabled; instances requiring authentication are harder to exploit remotely.
  • ·The traversal path depth in the exploit payload targets a specific Tomcat deployment path (srv/dotserver/tomcat-9.0.41/webapps/ROOT/); actual traversal depth and target path may vary by installation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.