cbcvebase.
CVE-2022-31706
published 2023-01-26

CVE-2022-31706: The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
87.08%
99.7th percentile
The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
vmwarevrealize_log_insight3.0 – 4.8
vmwarevrealize_log_insight>= 8.0.0 < 8.10.28.10.2

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/i18n/component/JS?locale=en-US
url{{BaseURL}}/api/v1/version
othershodan: http.title:"vrealize log insight"
otherfofa: title="vrealize log insight"
othergoogle: intitle:"vrealize log insight"
commandRemotePakDownloadCommand via exposed thrift service after obtaining node token via GetConfigRequest thrift command, followed by PakUpgradeCommand
otherThrift RPC endpoints abused for arbitrary file write; IP address spoofing to match master/worker node IP
pathJSP payload placed under pre-authenticated API endpoint location upon PAK archive extraction
othercron job reverse shell written as default payload
  • Detect version enumeration probes targeting vRealize Log Insight version endpoints; responses containing 'logInsight' or 'releaseName":' in body with HTTP 200 indicate a vulnerable instance
  • Monitor for unauthenticated GET requests to /i18n/component/JS?locale=en-US and /api/v1/version as reconnaissance steps preceding exploitation
  • Check Point IPS signature available for this CVE; use signature 'VMware vRealize Log Insight Directory Traversal (CVE-2022-31706)' for network-level detection
  • Exploitation requires attacker to have the same IP address as a master/worker node; monitor for unexpected IP address additions or static IP configuration changes on vRealize Log Insight nodes
  • Monitor for new or modified cron jobs on vRealize Log Insight appliances, as the default PoC payload writes a cron job to establish a reverse shell
  • Monitor for Thrift RPC traffic to vRealize Log Insight nodes, particularly GetConfigRequest and RemotePakDownloadCommand/PakUpgradeCommand sequences from unexpected sources
  • CVE-2022-31706 is chained with CVE-2022-31704 (broken access control) and CVE-2022-31711 (information disclosure); detect exploitation of all three together under VMSA-2023-0001
  • ·vRealize Log Insight is unlikely to be internet-facing; exploitation is more probable as a lateral movement technique from an already-compromised internal foothold
  • ·Affected versions span 8.x (8.0.0–8.10.x) and older 3.x/4.x branches per the Nuclei template version comparisons; version 8.10.2 is the fixed release per the advisory

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.