cbcvebase.
CVE-2022-29303
published 2022-05-12

CVE-2022-29303: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-03
Exploited in the wild
EPSS
99.92%
100.0th percentile
SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
contecsv-cpt-mc310_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/conf_mail.php
commandmail_address=%3Bid%3Bwhoami%3Bpwd%3Bls%3B&button=%83%81%81%5B%83%8B%91%97%90M
commandmail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/conf_mail.php"; fast_pattern; http.request_body; content:"mail_address="; pcre:"/^\s?(?:[\x3b\x0a\x26\x60\x7c\x24]|%(3b|0a|26|60|7c|24))/Ri"; reference:cve,2022-29303; classtype:attempted-admin; sid:2036649; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_29303, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
yara
regex: root:.*:0:0
  • Exploit targets HTTP POST to /conf_mail.php with shell metacharacters (semicolons, pipes, etc.) injected into the mail_address parameter. Look for URL-encoded shell separators: %3b (;), %0a (newline), %26 (&), %60 (`), %7c (|), %24 ($) at the start of the mail_address value.
  • No authentication is required to exploit this vulnerability — the vulnerable endpoint /conf_mail.php is unauthenticated.
  • Shodan and FOFA fingerprints can be used to identify exposed SolarView Compact instances: search for 'SolarView Compact' in HTTP HTML body.
  • Successful exploitation response body contains the string 'p1_network_mail.cgi', which can be used as a confirmation indicator.
  • The vulnerability exists due to improper validation of input values on the send test mail console of the product's web server.
  • ·The Nuclei template uses a placeholder variable for the injected command (cat${IFS}/etc/passwd); real-world payloads will vary. The IFS substitution bypasses space filtering.
  • ·The Snort rule (ET sid:2036649) targets inbound traffic to $HOME_NET/$HTTP_SERVERS; ensure these variables are correctly scoped to cover the SolarView Compact device's IP range for accurate detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.