CVE-2022-31125
published 2022-07-06CVE-2022-31125: Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.93%
96.5th percentile
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hap-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
| roxy-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
commandalert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45↗
- →Detect unauthenticated POST requests to /app/options.py — the authentication bypass is triggered by sending a POST to this endpoint without valid session credentials, using the 'alert_consumer=notNull' parameter. ↗
- →Look for the 'alert_consumer=notNull' parameter in POST body to /app/options.py as a specific indicator of exploitation attempts for this authentication bypass. ↗
- →The exploit uses X-Requested-With: XMLHttpRequest header alongside the crafted POST — correlate this header with unauthenticated requests to /app/options.py for higher-fidelity detection. ↗
- →Requests originating from or referencing /app/login.py as Referer while POSTing to /app/options.py without a valid authenticated session may indicate exploitation of CVE-2022-31125. ↗
- →Affects Roxy-wi versions before 6.1.1.0; identify vulnerable instances by version fingerprinting and prioritize patching. ↗
- ·The PoC uses a hardcoded private IP (192.168.56.116) as the target Host — real-world attacks will use the actual target host; do not rely on IP-based detection alone. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.htmlhttps://github.com/hap-wi/roxy-wi/security/advisories/GHSA-hr76-3hxp-5mm3http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.htmlhttps://github.com/hap-wi/roxy-wi/security/advisories/GHSA-hr76-3hxp-5mm3
2022-07-06
Published