cbcvebase.
CVE-2022-29464
published 2022-04-18

CVE-2022-29464: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-16
Exploited in the wild
EPSS
100.00%
100.0th percentile
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

Affected

11 ranges
VendorProductVersion rangeFixed in
wso2api_manager2.2.0 – 4.0.0
wso2enterprise_integrator6.2.0 – 6.6.0
wso2identity_server5.2.0 – 5.11.0
wso2identity_server_analytics
wso2identity_server_analytics
wso2identity_server_analytics
wso2identity_server_analytics
wso2identity_server_as_key_manager5.3.0 – 5.10.0
wso2open_banking_am1.3.0 – 2.0.0
wso2open_banking_iam
wso2open_banking_km1.3.0 – 1.5.0

Detection & IOCsextracted from sources · hover to see the quote

path//repository/deployment/server/webapps/authenticationendpoint/{6 Random letters}.jsp
path//repository/deployment/server/webapps/authenticationendpoint/temp.jsp
path//repository/deployment/server/webapps/authenticationendpoint/unit.jsp
path//repository/deployment/server/webapps/authenticationendpoint/wso2is-08-22-2019_19_29.jsp
path//repository/deployment/server/webapps/authenticationendpoint/9.jsp
path//repository/deployment/server/webapps/{5 letters like HcTnA}.war
path//repository/deployment/server/webapps/{5 letters like HcTnA}/WEB-INF/classes/metasploit/Payload.class
path/tmp/LBcgqCymZQhm
path/tmp/uCQeONYQ
path/dev/shm/hezb
pathC:\Windows\Temp\fscan.exe
hash2effebac6dc4fe8924315403f3dbda2fddfd7ea616faaf5cac2d7f6c85254e9e
hashd2ec9ec31013320eb3f4e1886a0e1a4720919761bd0cb62dbd66a9b8f13cc23d
hash9afec5620d7cfd959b3ec81442fefc05b4d0200194bc4443de47ea0b9f452b0f
hash293eca7343c5cab11427431c93f66f972ce14061691ceb9bd7546b9fb283b1d0
hash5c0970c2c253c2120d722c37aa397b1ce5fa61108f8441a84001eed5b565dc78
hash0c4c5c036272eb19d5617c9ce072e14ffb795a354dc682e6b0d144143ac4c7b4
hash4993806d2f77096ab28d589f8ee91869fc6045725ec9bc83b9e57f78cf86a5b8
hash58c0dd936dd314637a7a85db5227ed0ebbfcf33508372a646c09c98ec2dd4e5d
hashB0300521ED21DD328FA3A989E8229423
hash92443dfd40df1dc87976fc827e46a264979d5ed2a8e2153864d6f2725a9aab0c
hashd26437cc6ff9d094d42947d214c80a313e064ca403e9dd33a8110d7e859dd10e
hashaaa4aaa14e351350fccbda72d442995a65bd1bb8281d97d1153401e31365a3e9
hasha3f08adadb93ee760f81ef96cc08810070f4f5a75d5417191975da5ab778766c
hash0bade474b812222dbb9114125465f9dd558e6368f155a6cd20ca352ddd20549e
ip13.94.40.162
ip179.60.150.29
urlhxxp://13[.]94[.]40[.]162:8088/auto[.]sh
port4444
filenameauto.sh
filenamesetup_c3pool_miner.sh
path/repository/deployment/server/webapps/authenticationendpoint/
other41286: HTTP: WSO2 API Manager ToolsAnyFileUploadExecutor Directory Traversal Vulnerability
  • Monitor for Java process spawning wget or curl to retrieve remote shell scripts (e.g., auto.sh), which is indicative of post-exploitation activity following CVE-2022-29464 web shell installation.
  • Alert on chmod commands executed by the Java process owner, as this is a post-exploitation indicator observed in CVE-2022-29464 attacks.
  • Detect outbound connections from WSO2 Java processes to 179.60.150.29:4444, which is a confirmed Cobalt Strike C2 callback destination used in active exploitation of CVE-2022-29464.
  • Hunt for newly created .JSP or .WAR files under /repository/deployment/server/webapps/authenticationendpoint/ or random 5-letter named .war directories, as these are the primary web shell drop locations observed in CVE-2022-29464 exploitation.
  • Detect HTTP requests to WSO2 /fileupload endpoints containing Content-Disposition headers with directory traversal sequences (e.g., ../../../../repository/deployment/server/webapps).
  • Look for the presence of Payload.class under WEB-INF/classes/metasploit/ within WSO2 webapps directories, indicating Metasploit module deployment via CVE-2022-29464.
  • Check for the presence of fscan.exe in C:\Windows\Temp\ as a lateral movement/network scanning tool dropped after CVE-2022-29464 exploitation on Windows systems.
  • Monitor /dev/shm/ for executable files (e.g., hezb), as threat actors used this in-memory path to stage coinminer payloads after CVE-2022-29464 exploitation.
  • ·The Cobalt Strike beacon observed targeting Linux environments is not an official Cobalt Strike artifact — it was custom-developed by the threat actor for Linux compatibility, making signature-based detection against standard Cobalt Strike beacon profiles less reliable.
  • ·Exploitation requires no user interaction and no administrative privileges, meaning any internet-exposed WSO2 instance is at risk without authentication as a prerequisite barrier.
  • ·Affected WSO2 servers are easily discoverable via Google or Shodan searches, meaning threat actors can rapidly enumerate targets at scale.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.