CVE-2022-29303
published 2022-05-12CVE-2022-29303: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-03
Exploited in the wild
EPSS
99.92%
100.0th percentile
SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contec | sv-cpt-mc310_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandmail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/conf_mail.php"; fast_pattern; http.request_body; content:"mail_address="; pcre:"/^\s?(?:[\x3b\x0a\x26\x60\x7c\x24]|%(3b|0a|26|60|7c|24))/Ri"; reference:cve,2022-29303; classtype:attempted-admin; sid:2036649; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_29303, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
yara
regex: root:.*:0:0
- →Exploit targets HTTP POST to /conf_mail.php with shell metacharacters (semicolons, pipes, etc.) injected into the mail_address parameter. Look for URL-encoded shell separators: %3b (;), %0a (newline), %26 (&), %60 (`), %7c (|), %24 ($) at the start of the mail_address value.
- →No authentication is required to exploit this vulnerability — the vulnerable endpoint /conf_mail.php is unauthenticated. ↗
- →Shodan and FOFA fingerprints can be used to identify exposed SolarView Compact instances: search for 'SolarView Compact' in HTTP HTML body.
- →Successful exploitation response body contains the string 'p1_network_mail.cgi', which can be used as a confirmation indicator.
- →The vulnerability exists due to improper validation of input values on the send test mail console of the product's web server. ↗
- ·The Nuclei template uses a placeholder variable for the injected command (cat${IFS}/etc/passwd); real-world payloads will vary. The IFS substitution bypasses space filtering.
- ·The Snort rule (ET sid:2036649) targets inbound traffic to $HOME_NET/$HTTP_SERVERS; ensure these variables are correctly scoped to cover the SolarView Compact device's IP range for accurate detection.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9pf5-f78q-q36r: SolarView Compact ver
ghsa_unreviewed·2022-05-13
CVE-2022-29303 [CRITICAL] CWE-77 GHSA-9pf5-f78q-q36r: SolarView Compact ver
SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
VulnCheck
SolarView Compact Command Injection Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-29303 [CRITICAL] CWE-78 SolarView Compact Command Injection Vulnerability
SolarView Compact Command Injection Vulnerability
SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server.
Affected: SolarView Compact
Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2022-29303; https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; https://vulncheck.com/blog/solarview-exploitation; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-29303; htt
CISA
SolarView Compact Command Injection Vulnerability
cisa·2023-07-13·CVSS 9.8
CVE-2022-29303 [CRITICAL] CWE-78 SolarView Compact Command Injection Vulnerability
Vulnerability: SolarView Compact Command Injection Vulnerability
Affected: SolarView Compact
SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server.
Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Notes: https://jvn.jp/en/vu/JVNVU92327282/; https://nvd.nist.gov/vuln/detail/CVE-2022-29303
Remediation Due Date: 2023-08-03
Suricata
ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)
suricata·2022-05-23·CVSS 9.8
CVE-2022-29303 [CRITICAL] ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)
ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/conf_mail.php"; fast_pattern; http.request_body; content:"mail_address="; pcre:"/^\s?(?:[\x3b\x0a\x26\x60\x7c\x24]|%(3b|0a|26|60|7c|24))/Ri"; reference:cve,2022-29303; classtype:attempted-admin; sid:2036649; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_29303, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mit
Exploit-DB
SolarView Compact 6.0 - OS Command Injection
exploitdb·2022-05-17·CVSS 9.8
CVE-2022-29303 [CRITICAL] SolarView Compact 6.0 - OS Command Injection
SolarView Compact 6.0 - OS Command Injection
---
# Exploit Title: SolarView Compact 6.0 - OS Command Injection
# Date: 2022-05-15
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: ver.6.00
# Vendor home page : https://www.contec.com/
# Authentication Required: No
# CVE : CVE-2022-29303
# Tested on: Windows
# Exploit
# HTTP Request :
POST /conf_mail.php HTTP/1.1
Host: HOST_IP
Content-Length: 77
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://HOST_IP
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exc
Nuclei
SolarView Compact 6.00 - OS Command Injection
nuclei·CVSS 9.8
CVE-2022-29303 [CRITICAL] SolarView Compact 6.00 - OS Command Injection
SolarView Compact 6.00 - OS Command Injection
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
Template:
id: CVE-2022-29303
info:
name: SolarView Compact 6.00 - OS Command Injection
author: badboycxcc
severity: critical
description: |
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the system.
remediation: |
Apply the latest patch or update provided by the vendor to fix the OS command injection vulnerability in SolarView Compact 6.00.
reference:
- https://www.exploit-db.com/exploits/50940
- https://cve.
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
Greynoiseio
Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
blogs_greynoiseio·CVSS 8.8
[HIGH] Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/167183/SolarView-Compact-6.0-Command-Injection.htmlhttps://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharinghttp://packetstormsecurity.com/files/167183/SolarView-Compact-6.0-Command-Injection.htmlhttps://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharinghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29303
2022-05-12
Published
2023-07-13
Added to CISA KEV
Exploited in the wild