CVE-2022-27228
published 2022-03-22CVE-2022-27228: In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.32%
97.2th percentile
In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bitrix24 | bitrix24 | < 21.0.100 | 21.0.100 |
Detection & IOCsextracted from sources · hover to see the quote
url/bitrix/tools/vote/uf.php?attachId[ENTITY_TYPE]=CFileUploader&attachId[ENTITY_ID][events][onFileIsStarted][]=CAllAgent&attachId[ENTITY_ID][events][onFileIsStarted][]=Update&attachId[MODULE_ID]=vote&action=vote
path/bitrix/tools/vote/uf.php
- →Exploit begins with a GET to /bitrix/admin/ to harvest the 'bitrix_sessid' CSRF token, then POSTs a multipart file upload to /bitrix/tools/vote/uf.php with crafted attachId parameters that chain CFileUploader → CAllAgent::Update to achieve RCE.
- →Successful exploitation returns HTTP 200 with JSON body containing '"status":"done"'; monitor for this response on the /bitrix/tools/vote/uf.php endpoint from unauthenticated sources.
- →The attack uses a multipart/form-data boundary value of '---------------------------xxxxxxxxxxxx'; anomalous or static boundary strings in uploads to /bitrix/tools/vote/uf.php should be flagged.
- →The payload abuses the 'onFileIsStarted' event hook within attachId to invoke CAllAgent::Update — look for query parameters containing 'onFileIsStarted' and 'CAllAgent' in requests to Bitrix endpoints.
- →The exploit extracts 'bitrix_sessid' from the admin page using the regex pattern `'bitrix_sessid':'(.*?)'`; presence of this token in a session followed immediately by a POST to uf.php from an unauthenticated IP is a strong attack signal.
- ·The Nuclei template is marked 'verified: false', meaning the PoC has not been confirmed against a live target; treat detections as high-confidence candidates requiring manual triage.
- ·The template is tagged 'intrusive', indicating active exploitation attempts are made during scanning; deploying this detection in passive/IDS mode requires adapting the matching logic to observed traffic rather than active probing.
- ·The vulnerable condition applies only to the vote module versions before 21.0.100; instances already patched to 21.0.100 or later are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c23g-9x2x-4x3p: In the vote (aka "Polls, Votes") module before 21
ghsa_unreviewed·2022-03-23
CVE-2022-27228 [CRITICAL] CWE-20 GHSA-c23g-9x2x-4x3p: In the vote (aka "Polls, Votes") module before 21
In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
VulnCheck
bitrix24 bitrix24 Improper Input Validation
vulncheck·2022·CVSS 9.8
CVE-2022-27228 [CRITICAL] bitrix24 bitrix24 Improper Input Validation
bitrix24 bitrix24 Improper Input Validation
In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
Affected: bitrix24 bitrix24
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.securityweek.com/exploitation-of-bitrix-cms-vulnerability-drives-ics-attack-surge-in-russia/; https://www.cyberok.ru/docs/CyberOK-Bitrix_web_1.1.pdf; https://bi.zone/upload/for_download/Threat_Zone_2024_BI.ZONE_Research_rus.pdf; https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/ex-cobalt-go-red-tehnika-skrytogo-tunnelya/; https://www.ptsecurity.com/ww-en/analytics/pt-
No detection rules found.
Nuclei
Bitrix Site Manager - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-27228 [CRITICAL] Bitrix Site Manager - Remote Code Execution
Bitrix Site Manager - Remote Code Execution
In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
Template:
id: CVE-2022-27228
info:
name: Bitrix Site Manager - Remote Code Execution
author: theamanrawat
severity: critical
description: In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
impact: Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.
remediation: Update to version 21.0.100 or later.
reference:
- https://alt3r.eg0.ru/p0c5/attacking_bitrix.pdf
- https://pentestnotes.ru/notes/bitrix_pentest_full/#rce-vote_agentphp-cve-2022-27228
- https://nvd.ni
2022-03-22
Published
Exploited in the wild