CVE-2022-31885
published 2022-06-28CVE-2022-31885: Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.32%
98.1th percentile
Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| marvalglobal | marval_msm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D↗
- →Detect POST requests to ScriptHandler.ashx with the 'method=ProcessScript' query parameter, which is the exploit's trigger endpoint for OS command injection via VBScript. ↗
- →Alert on POST body content containing VBScript patterns invoking wscript.Shell CreateObject combined with shell.run and powershell.exe, indicating in-band OS command injection via the ScriptHandler endpoint. ↗
- →Monitor for the 'classMode' query parameter in requests to ScriptHandler.ashx; the exploit passes an encrypted/encoded token in this parameter to bypass authentication checks. ↗
- →The exploit is authenticated; correlate the appNameAuth cookie value with session activity on ScriptMaintenance.aspx prior to the malicious POST to ScriptHandler.ashx to identify compromised sessions. ↗
- ·The exploit requires authentication (valid ASP.NET session + appNameAuth cookie); detections based solely on the endpoint path may miss unauthenticated probes but the actual RCE requires a valid session. ↗
- ·The vulnerability is specific to version v14.19.0.12476 on Windows; version-check detections should be scoped accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://cyber-guy.gitbook.io/cyber-guy/pocs/marval-msm/os-command-injectionhttps://drive.google.com/drive/folders/1Qa-6-LUzEnduSGfWLUjVLCyKr5wuEu5k?usp=sharinghttps://marvalglobal.com/https://cyber-guy.gitbook.io/cyber-guy/pocs/marval-msm/os-command-injectionhttps://drive.google.com/drive/folders/1Qa-6-LUzEnduSGfWLUjVLCyKr5wuEu5k?usp=sharinghttps://marvalglobal.com/
2022-06-28
Published