cbcvebase.
CVE-2022-31125
published 2022-07-06

CVE-2022-31125: Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.93%
96.5th percentile
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
hap-wiroxy-wi< 6.1.1.06.1.1.0
roxy-wiroxy-wi< 6.1.1.06.1.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/app/options.py
commandalert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45
  • Detect unauthenticated POST requests to /app/options.py — the authentication bypass is triggered by sending a POST to this endpoint without valid session credentials, using the 'alert_consumer=notNull' parameter.
  • Look for the 'alert_consumer=notNull' parameter in POST body to /app/options.py as a specific indicator of exploitation attempts for this authentication bypass.
  • The exploit uses X-Requested-With: XMLHttpRequest header alongside the crafted POST — correlate this header with unauthenticated requests to /app/options.py for higher-fidelity detection.
  • Requests originating from or referencing /app/login.py as Referer while POSTing to /app/options.py without a valid authenticated session may indicate exploitation of CVE-2022-31125.
  • Affects Roxy-wi versions before 6.1.1.0; identify vulnerable instances by version fingerprinting and prioritize patching.
  • ·The PoC uses a hardcoded private IP (192.168.56.116) as the target Host — real-world attacks will use the actual target host; do not rely on IP-based detection alone.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.