cbcvebase.
CVE-2022-31793
published 2022-08-04

CVE-2022-31793: do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.37%
95.4th percentile
do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem. This occurs because the code skips over the first character when serving files. Arris NVG443, NVG599, NVG589, and NVG510 devices and Arris-derived BGW210 and BGW320 devices are affected.

Affected

1 ranges
VendorProductVersion rangeFixed in
inglorionmuhttpd< 1.1.71.1.7

Detection & IOCsextracted from sources · hover to see the quote

commandGET a/etc/passwd
bytes
47455420612F6574632F706173737764
  • The exploit sends a raw TCP request with a single arbitrary character prepended before the target path (e.g., 'GET a/etc/passwd'). Detect HTTP GET requests where the path begins with a single non-slash character immediately followed by a filesystem path such as /etc/passwd.
  • Detection over raw TCP: send hex payload '47455420612F6574632F706173737764' followed by '\n\n' and look for response body containing hex string '726f6f743a' (ASCII: 'root:'), indicating /etc/passwd content was returned.
  • Affected devices include Arris NVG443, NVG599, NVG589, NVG510, BGW210, and BGW320. Prioritize scanning these device models running muhttpd <= 1.1.5.
  • The vulnerability is unauthenticated and exploitable over the network with no user interaction required (CVSS AV:N/AC:L/PR:N/UI:N). Any exposed muhttpd port should be treated as a high-priority detection target.
  • ·The Nuclei template targets the default muhttpd TCP port via '{{Hostname}}'. Ensure your scanner resolves the correct port for muhttpd on target Arris/BGW devices, as it may not be standard HTTP port 80.
  • ·The NVD advisory states the fix is in version 1.1.7, but the Nuclei template remediation incorrectly states 'Update the application to version 1.10'. Use 1.1.7 as the authoritative patched version.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.