cbcvebase.
CVE-2022-31126
published 2022-07-06

CVE-2022-31126: Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.98%
98.5th percentile
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
hap-wiroxy-wi< 6.1.1.06.1.1.0
roxy-wiroxy-wi< 6.1.1.06.1.1.0

Detection & IOCsextracted from sources · hover to see the quote

path/app/options.py
path/app/funct.py
commandshow_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;
yara
regex: uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)
  • The exploit payload uses an empty 'token' field alongside 'show_versions=1' and 'alert_consumer=1', indicating no authentication is required. Alert on POST to /app/options.py with token= (empty).
  • Successful exploitation returns output matching 'uid=...gid=...' in the HTTP response body. Monitor HTTP 200 responses from /app/options.py containing this pattern.
  • Use Shodan/FOFA queries to identify exposed Roxy-WI instances as potential targets: Shodan html:"Roxy-WI", FOFA body="roxy-wi".
  • The vulnerable code path involves the ssh_command function in /app/funct.py which does not sanitize user-supplied input before executing system commands.
  • ·The PoC uses 'serv=127.0.0.1' as the server parameter; in real attacks this value may vary. Detection rules should not rely solely on this specific IP value.
  • ·This vulnerability affects Roxy-WI versions strictly before 6.1.1.0. Versions 6.1.1.0 and later are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.