cbcvebase.
CVE-2022-36642
published 2022-09-02

CVE-2022-36642: A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 allows attackers to access users…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.04%
94.6th percentile
A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 allows attackers to access users credentials which makes him able to gain initial access to the control panel with high privilege because the cleartext storage of sensitive information which can be unlatched by exploiting the LFD vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
telosallianceomnia_mpx_node_firmware
telosallianceomnia_mpx_node_firmware>= 1.0.0 < 1.5.01.5.0

Detection & IOCsextracted from sources · hover to see the quote

path/logs/downloadMainLog?fname=../../../../../../..//etc/passwd
path/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json
path/appConfig/userDB.json
path/logs/downloadMainLog
sigma
shodan-query: http.title:"Omnia MPX Node | Login"
  • Detect LFI exploitation attempts targeting the downloadMainLog endpoint with path traversal sequences to retrieve /etc/passwd or userDB.json
  • Inspect HTTP response bodies for JSON credential fields indicating successful userDB.json exfiltration: look for co-occurrence of '"username":', '"password":', '"mustChangePwd":', and '"roleUser":'
  • Detect successful /etc/passwd retrieval via the LFI endpoint by matching the regex pattern for root user entry in the response body
  • Identify exposed Omnia MPX Node instances via Shodan/FOFA using the login page title fingerprint
  • ·Credentials in userDB.json are stored in cleartext, meaning any successful LFI retrieval of this file directly yields usable plaintext credentials for the control panel — no cracking required.
  • ·The vulnerability is exploitable without authentication (PR:N, UI:N per CVSS), meaning no prior access is needed to trigger the LFI and retrieve credentials.
  • ·The userDB.json file path on disk is /config/MPXnode/www/appConfig/userDB.json — traversal depth must account for this absolute path when crafting detection signatures.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.