cbcvebase.
CVE-2022-36635
published 2022-10-07

CVE-2022-36635: ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
16.58%
96.6th percentile
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.

Affected

4 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortios
fortinetfortiswitchmanager
zktecozkbiosecurity_v5000

Detection & IOCsextracted from sources · hover to see the quote

path/baseOpLog.do
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/baseOpLog.do"; http.request_body; content:"opTime"; fast_pattern; pcre:"/^(?:Begin|End)\=/PR"; content:"|27|"; distance:0; content:"|2f 2a|"; distance:0; content:"|2a 2f|"; distance:0; reference:url,medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-to-rce-c5bde2962d47; reference:cve,2022-36635; classtype:attempted-admin; sid:2039129; rev:2; metadata:affected_product IoT, attack_target IoT, created_at 2022_10_07, cve CVE_2022_36635, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, reviewed_at 2024_09_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit traffic uses HTTP POST method targeting the exact URI /baseOpLog.do with a fixed URI length of 13 bytes.
  • The POST body contains the parameter 'opTime' with a value beginning with 'Begin=' or 'End=', followed by SQL comment byte sequences (0x27 = single-quote, 0x2f2a = /*, 0x2a2f = */) indicating SQL injection payload structure.
  • The injection point is the opTime parameter, which accepts Begin= or End= prefixed values; the attack injects a single-quote followed by SQL block comment delimiters (/* */) to manipulate the query.
  • ·The Snort/Suricata rule targets both perimeter and internal deployment zones, indicating the vulnerable endpoint may be exposed externally or reachable from internal network segments.
  • ·The affected product is classified as IoT; standard web application firewall rules may not be deployed in front of ZKBioSecurity V5000 devices by default.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.