CVE-2022-36635
published 2022-10-07CVE-2022-36635: ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
16.58%
96.6th percentile
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortios | — | — |
| fortinet | fortiswitchmanager | — | — |
| zkteco | zkbiosecurity_v5000 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/baseOpLog.do"; http.request_body; content:"opTime"; fast_pattern; pcre:"/^(?:Begin|End)\=/PR"; content:"|27|"; distance:0; content:"|2f 2a|"; distance:0; content:"|2a 2f|"; distance:0; reference:url,medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-to-rce-c5bde2962d47; reference:cve,2022-36635; classtype:attempted-admin; sid:2039129; rev:2; metadata:affected_product IoT, attack_target IoT, created_at 2022_10_07, cve CVE_2022_36635, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, reviewed_at 2024_09_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit traffic uses HTTP POST method targeting the exact URI /baseOpLog.do with a fixed URI length of 13 bytes.
- →The POST body contains the parameter 'opTime' with a value beginning with 'Begin=' or 'End=', followed by SQL comment byte sequences (0x27 = single-quote, 0x2f2a = /*, 0x2a2f = */) indicating SQL injection payload structure.
- →The injection point is the opTime parameter, which accepts Begin= or End= prefixed values; the attack injects a single-quote followed by SQL block comment delimiters (/* */) to manipulate the query.
- ·The Snort/Suricata rule targets both perimeter and internal deployment zones, indicating the vulnerable endpoint may be exposed externally or reachable from internal network segments.
- ·The affected product is classified as IoT; standard web application firewall rules may not be deployed in front of ZKBioSecurity V5000 devices by default.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5239-v43c-m59r: ZKteco ZKBioSecurity V5000 4
ghsa_unreviewed·2022-10-08
CVE-2022-36635 [HIGH] CWE-89 GHSA-5239-v43c-m59r: ZKteco ZKBioSecurity V5000 4
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.
Fortinet
Read-Only users able to add/modify the Interface fields using the API
vendor_fortinet·2022-11-02·CVSS 7.1
CVE-2022-38380 [MEDIUM] CWE-284 Read-Only users able to add/modify the Interface fields using the API
FG-IR-22-174: Read-Only users able to add/modify the Interface fields using the API
An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API.
An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2
7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API.
CVEs: CVE-2022-38380, CVE-2023-36635
CWEs: CWE-284
CVSS: 7.1 (high)
Affected products: FortiOS, FortiSwitchManager, FortiSwitchmanager, Fortinet
Suricata
ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)
suricata·2022-10-07·CVSS 8.8
CVE-2022-36635 [HIGH] ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)
ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/baseOpLog.do"; http.request_body; content:"opTime"; fast_pattern; pcre:"/^(?:Begin|End)\=/PR"; content:"|27|"; distance:0; content:"|2f 2a|"; distance:0; content:"|2a 2f|"; distance:0; reference:url,medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-to-rce-c5bde2962d47; reference:cve,2022-36635; classtype:attempted-admin; sid:2039129; rev:2; metadata:affected_product IoT, attack_target IoT, created_at 2022_10_07, cve CVE_2022_36635, deployment Perimeter, deployment Internal, performance_impact Low
No public exploits indexed.
No writeups or analysis indexed.
2022-10-07
Published