cbcvebase.
CVE-2022-34753
published 2022-07-13

CVE-2022-34753: A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit…

PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
71.08%
99.3th percentile
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products: SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)

Affected

2 ranges
VendorProductVersion rangeFixed in
schneider-electricspacelogic_c-bus_home_controller_firmware<= 1.31.460
schneider_electricspacelogic_c-bus_home_controller>= 5200WHC2 < V1.31.460V1.31.460

Detection & IOCsextracted from sources · hover to see the quote

url/delsnap.pl?name=|<cmd>
path/delsnap.pl
path/mnt/microsd/clipsal/ugen/imgs/
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/delsnap.pl|3f 7c|"; fast_pattern; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,www.exploit-db.com/exploits/50987; classtype:attempted-admin; sid:2038665; rev:2; metadata:attack_target IoT, created_at 2022_08_29, cve CVE_2022_34753, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_26, reviewed_at 2024_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
/delsnap.pl|3f 7c|
  • The injection point is the `name` CGI parameter of `/delsnap.pl`. A pipe character (`|`) is prepended to the attacker-supplied OS command to achieve injection (e.g., `?name=|id`).
  • Successful exploitation returns command output in the HTTP response body with HTTP 200; look for `uid=0(root) gid=0(root)` in responses to GET requests targeting `/delsnap.pl`.
  • Shodan/FOFA fingerprinting: devices exposing `SpaceLogic C-Bus` or `spacelogic c-bus` in HTML body are the target attack surface.
  • The exploit requires HTTP Basic Authentication credentials; monitor for authenticated GET requests to `/delsnap.pl` containing a pipe (`|`) in the `name` parameter.
  • The Emerging Threats Snort rule (SID 2038665) specifically flags absence of a `Referer` header combined with a GET to `/delsnap.pl?` followed by a pipe (`|`, hex `7c`) as a strong exploit indicator.
  • ·The exploit requires valid HTTP Basic Authentication credentials for the device; unauthenticated exploitation is not demonstrated in the public PoC, though the CVSS score (PR:L) reflects low-privilege access is sufficient.
  • ·The vulnerability affects SpaceLogic C-Bus Home Controller (5200WHC2) firmware V1.31.460 and prior only; the underlying OS is Linux 2.6.37 on ARMv7 (OMAP3), so network signatures should be scoped to IoT/embedded device segments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.