cbcvebase.
CVE-2022-27228
published 2022-03-22

CVE-2022-27228: In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.32%
97.2th percentile
In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.

Affected

1 ranges
VendorProductVersion rangeFixed in
bitrix24bitrix24< 21.0.10021.0.100

Detection & IOCsextracted from sources · hover to see the quote

url/bitrix/tools/vote/uf.php?attachId[ENTITY_TYPE]=CFileUploader&attachId[ENTITY_ID][events][onFileIsStarted][]=CAllAgent&attachId[ENTITY_ID][events][onFileIsStarted][]=Update&attachId[MODULE_ID]=vote&action=vote
path/bitrix/tools/vote/uf.php
  • Exploit begins with a GET to /bitrix/admin/ to harvest the 'bitrix_sessid' CSRF token, then POSTs a multipart file upload to /bitrix/tools/vote/uf.php with crafted attachId parameters that chain CFileUploader → CAllAgent::Update to achieve RCE.
  • Successful exploitation returns HTTP 200 with JSON body containing '"status":"done"'; monitor for this response on the /bitrix/tools/vote/uf.php endpoint from unauthenticated sources.
  • The attack uses a multipart/form-data boundary value of '---------------------------xxxxxxxxxxxx'; anomalous or static boundary strings in uploads to /bitrix/tools/vote/uf.php should be flagged.
  • The payload abuses the 'onFileIsStarted' event hook within attachId to invoke CAllAgent::Update — look for query parameters containing 'onFileIsStarted' and 'CAllAgent' in requests to Bitrix endpoints.
  • The exploit extracts 'bitrix_sessid' from the admin page using the regex pattern `'bitrix_sessid':'(.*?)'`; presence of this token in a session followed immediately by a POST to uf.php from an unauthenticated IP is a strong attack signal.
  • ·The Nuclei template is marked 'verified: false', meaning the PoC has not been confirmed against a live target; treat detections as high-confidence candidates requiring manual triage.
  • ·The template is tagged 'intrusive', indicating active exploitation attempts are made during scanning; deploying this detection in passive/IDS mode requires adapting the matching logic to observed traffic rather than active probing.
  • ·The vulnerable condition applies only to the vote module versions before 21.0.100; instances already patched to 21.0.100 or later are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.