cbcvebase.
CVE-2022-36553
published 2022-08-29

CVE-2022-36553: Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
90.80%
99.8th percentile
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
hytechwl-2511-ss_firmware<= 1.05

Detection & IOCsextracted from sources · hover to see the quote

path/www/cgi-bin/popen.cgi
url/cgi-bin/popen.cgi?command={{command}}&v=0.1303033443137912
commandcat%20/etc/passwd
commandtype%20C://Windows/win.ini
  • Fingerprint vulnerable Hytec HWL-2511-SS devices via HTTP response header and title: lighttpd/1.4.30 with page title 'index'.
  • Detect exploitation attempts by monitoring HTTP GET requests to /cgi-bin/popen.cgi with a 'command' query parameter.
  • Successful Linux RCE exploitation is confirmed by a response body matching the regex 'root:.*:0:0:' (i.e., /etc/passwd content).
  • Successful Windows RCE exploitation is confirmed by response body containing 'bit app support', 'fonts', and 'extensions' (win.ini content).
  • Use ZoomEye query to identify exposed Hytec HWL-2511-SS devices on the internet.
  • ·The vulnerability is unauthenticated (PR:N/UI:N), meaning no credentials are required to exploit the popen.cgi endpoint.
  • ·Affected firmware versions are v1.05 and below; devices running later firmware versions may not be vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.