cbcvebase.
CVE-2022-3184
published 2022-12-21

CVE-2022-3184: Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
11.63%
95.5th percentile
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory.

Affected

13 ranges
VendorProductVersion rangeFixed in
dataprobeiboot-pdu4-n20_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu4a-n15_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu4a-n20_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu4sa-n15_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu4sa-n20_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu8a-2n15_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu8a-2n20_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu8a-n15_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu8a-n20_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu8sa-2n15_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu8sa-n15_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu8sa-n20_firmware< 1.42.061620221.42.06162022
dataprobeiboot-pdu_fw<= 1.42.06162022

Detection & IOCsextracted from sources · hover to see the quote

path/php/git-update.php
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/php/git-update.php"; fast_pattern; http.request_body; content:"branch|3d 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; content:"token|3d 26|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038965; rev:2;)
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/php/git-update.php"; fast_pattern; http.request_body; content:"branch=|2e 2e 25 32 46 2e 2e 25 32 46 2e 2e 25 32 46|"; content:"token=|25 32 36|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038966; rev:2;)
bytes
branch|3d 2e 2e 2f 2e 2e 2f 2e 2e 2f| (raw directory traversal: branch=../../..)
bytes
branch=|2e 2e 25 32 46 2e 2e 25 32 46 2e 2e 25 32 46| (URL-encoded directory traversal: branch=..%2F..%2F..%2F)
bytes
token|3d 26| (token=& — empty/null token parameter)
bytes
token=|25 32 36| (URL-encoded token=& — empty/null token parameter)
  • Exploit arrives as an HTTP POST request to the exact URI /php/git-update.php (URI byte-size is exactly 19); match on both raw and URL-encoded directory traversal variants in the request body.
  • ·Vulnerable firmware versions are strictly those prior to 1.42.06162022; devices already patched to 1.42.06162022 or later are not affected.
  • ·The Snort rules are scoped to inbound traffic toward $HOME_NET only; ensure $HOME_NET correctly includes all iBoot-PDU management interfaces to avoid blind spots.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.