cbcvebase.
CVE-2022-31885
published 2022-06-28

CVE-2022-31885: Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.32%
98.1th percentile
Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.

Affected

1 ranges
VendorProductVersion rangeFixed in
marvalglobalmarval_msm

Detection & IOCsextracted from sources · hover to see the quote

url/MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D
path/MSM_Test/RFP/Forms/ScriptHandler.ashx
path/MSM_Test/RFP/Forms/ScriptMaintenance.aspx
commandSet shell = CreateObject("wscript.Shell")
  • Detect POST requests to ScriptHandler.ashx with the 'method=ProcessScript' query parameter, which is the exploit's trigger endpoint for OS command injection via VBScript.
  • Alert on POST body content containing VBScript patterns invoking wscript.Shell CreateObject combined with shell.run and powershell.exe, indicating in-band OS command injection via the ScriptHandler endpoint.
  • Monitor for the 'classMode' query parameter in requests to ScriptHandler.ashx; the exploit passes an encrypted/encoded token in this parameter to bypass authentication checks.
  • The exploit is authenticated; correlate the appNameAuth cookie value with session activity on ScriptMaintenance.aspx prior to the malicious POST to ScriptHandler.ashx to identify compromised sessions.
  • ·The exploit requires authentication (valid ASP.NET session + appNameAuth cookie); detections based solely on the endpoint path may miss unauthenticated probes but the actual RCE requires a valid session.
  • ·The vulnerability is specific to version v14.19.0.12476 on Windows; version-check detections should be scoped accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.