CVE-2022-31137
published 2022-07-08CVE-2022-31137: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.39%
99.8th percentile
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hap-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
| maradns | maradns | >= 0 < 2.0.13-1.4+deb11u1build0.20.04.1 | 2.0.13-1.4+deb11u1build0.20.04.1 |
| maradns | maradns | >= 0 < 2.0.13-1.4+deb11u1build0.22.04.1 | 2.0.13-1.4+deb11u1build0.22.04.1 |
| maradns | maradns | >= 0 < 2.0.13-1ubuntu0.1~esm1 | 2.0.13-1ubuntu0.1~esm1 |
| maradns | maradns | >= 0 < 2.0.13-1.2ubuntu0.1~esm1 | 2.0.13-1.2ubuntu0.1~esm1 |
| roxy-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /app/options.py with command injection payloads in parameters such as ipbackend, getcert, or delcert. No authentication headers are required by the attacker. ↗
- →Look for POST requests to /app/options.py containing shell metacharacters (semicolons, quotes, plus signs used as spaces) in the ipbackend, getcert, or delcert POST body parameters. ↗
- →Requests exploiting this CVE typically include the header X-Requested-With: XMLHttpRequest and Referer pointing to /app/login.py, with no session/auth cookie. ↗
- →Shodan/FOFA fingerprinting: identify exposed Roxy-WI instances via HTML body containing 'Roxy-WI' or 'roxy-wi' as a pre-exploitation reconnaissance indicator. ↗
- →Metasploit module available for this vulnerability targeting Linux HTTP services; monitor for automated exploitation attempts against /app/options.py. ↗
- ·The vulnerable endpoint /app/options.py is reachable without authentication; the subprocess_execute function passes user-supplied input directly to system commands. Fix requires upgrade to >= 6.1.1.0. ↗
- ·Multiple injection parameters exist in /app/options.py: ipbackend, getcert, and delcert are all confirmed injection points across related CVEs (CVE-2022-31137, CVE-2022-31126, CVE-2022-31161) sharing the same vulnerable file and endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv7.5HIGH
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
maradns vulnerabilities
osv·2023-08-03·CVSS 7.5
CVE-2022-30256 maradns vulnerabilities
maradns vulnerabilities
Xiang Li discovered that MaraDNS incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2022-30256)
Huascar Tejeda discovered that MaraDNS incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a denial
of service. (CVE-2023-31137)
VulnCheck
roxy-wi roxy-wi Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 10.0
CVE-2022-31137 [CRITICAL] roxy-wi roxy-wi Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
roxy-wi roxy-wi Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected: roxy-wi roxy-wi
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://w
No detection rules found.
Exploit-DB
Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
exploitdb·2023-04-03·CVSS 10.0
CVE-2022-31126 [CRITICAL] Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
---
# ADVISORY INFORMATION
# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.0.0
# Author: Nuri Çilengir
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31126
# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-
Exploit-DB
Roxy WI v6.1.0.0 - Improper Authentication Control
exploitdb·2023-04-03·CVSS 10.0
CVE-2022-31125 [CRITICAL] Roxy WI v6.1.0.0 - Improper Authentication Control
Roxy WI v6.1.0.0 - Improper Authentication Control
---
# Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.0.0
# Author: Nuri Çilengir
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31125
# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 105
Origin
Nuclei
Roxy-WI < 6.1.1.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-31137 [CRITICAL] Roxy-WI < 6.1.1.0 - Remote Code Execution
Roxy-WI < 6.1.1.0 - Remote Code Execution
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file.
Template:
id: CVE-2022-31137
info:
name: Roxy-WI < 6.1.1.0 - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Users are advised to upgrade to late
Nuclei
Roxy-WI - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-31126 [CRITICAL] Roxy-WI - Remote Code Execution
Roxy-WI - Remote Code Execution
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
Template:
id: CVE-2022-31126
info:
name: Roxy-WI - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Users are advised to upgrade to latest version.
reference:
- https://pent
Nuclei
Roxy-WI - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-31161 [CRITICAL] Roxy-WI - Remote Code Execution
Roxy-WI - Remote Code Execution
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the delcert parameter without proper input validation in the /app/options.py file, allowing attackers to inject arbitrary OS commands.
Template:
id: CVE-2022-31161
info:
name: Roxy-WI - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the delcert parameter without proper input validation in the /app/options.py file, allowing attackers to inject arbitrary OS commands.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Users are adv
Metasploit
Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE
metasploit
Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE
Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE
This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
Bleepingcomputer
New Aquabotv3 botnet malware targets Mitel command injection flaw
blogs_bleepingcomputer·2025-01-29·CVSS 7.2
CVE-2024-41710 [HIGH] New Aquabotv3 botnet malware targets Mitel command injection flaw
## New Aquabotv3 botnet malware targets Mitel command injection flaw
## Bill Toulas
A new variant of the Mirai-based botnet malware Aquabot has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones.
The activity was discovered by Akamai's Security Intelligence and Response Team (SIRT), who reports that this is the third variant of Aquabot that falls under their radar.
The malware family was introduced in 2023, and a second version that added persistence mechanisms was released later. The third variant, 'Aquabotv3,' introduced a system that detects termination signals and sends the info to the command-and-control (C2) server.
Akamai comments that Aquabotv3's mechanism to report back kill attempts is unusual for botnets and may have been
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02
Network Security Trends: November 2022-January 2023
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
- Roxy-WI, a web interface for managing and monitoring RoxyDNS
- CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
- Cacti, an open-source network monitoring and graphing tool used to track the performance of various network devices, servers and applications
Additionally, attackers have also been taking advantage of a traversal and information disclosure vulnerability in ThoughtWorks GoCD to read sensitive files stored on servers.
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based o
http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.htmlhttp://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/172547/Roxy-WI-6.1.0.0-Remote-Command-Execution.htmlhttps://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.htmlhttp://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/172547/Roxy-WI-6.1.0.0-Remote-Command-Execution.htmlhttps://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532
2022-07-08
Published
Exploited in the wild