CVE-2022-37122
published 2022-08-31CVE-2022-37122: Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
18.19%
96.8th percentile
Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| carel | applica | — | — |
| carel | applica | — | — |
| carel | pcoweb_card_firmware | a2.1.0 – b.2.1.0 | — |
| carel | pcoweb_hvac_bacnet_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:.*:0:0:
- →Look for unauthenticated GET requests to /usr-cgi/logdownload.cgi containing directory traversal sequences (e.g., ../../../../) in the 'file' parameter. ↗
- →A successful exploit response will contain the contents of /etc/passwd, detectable by the pattern 'root:.*:0:0:' in the HTTP response body. ↗
- →No authentication is required to exploit this vulnerability; monitor for anonymous/unauthenticated access to logdownload.cgi. ↗
- ·Vulnerability is confirmed on Carel pCOWeb HVAC BACnet Gateway version 2.1.0 with specific firmware and application software versions. ↗
- ·The vulnerable CGI script is a Bash script, meaning exploitation is limited to environments where this specific script is present and executable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal
nuclei·CVSS 7.5
CVE-2022-37122 [HIGH] Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal
Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal
Carel pCOWeb HVAC BACnet Gateway 2.1.0 contains an unauthenticated arbitrary file disclosure caused by improper verification of the 'file' GET parameter in logdownload.cgi, letting attackers disclose sensitive files via directory traversal, exploit requires no authentication.
Template:
id: CVE-2022-37122
info:
name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal
author: gy741
severity: high
description: |
Carel pCOWeb HVAC BACnet Gateway 2.1.0 contains an unauthenticated arbitrary file disclosure caused by improper verification of the 'file' GET parameter in logdownload.cgi, letting attackers disclose sensitive files via directory traversal, exploit requires no authentication.
impact: |
Unauthenticated attackers can read
No writeups or analysis indexed.
https://packetstormsecurity.com/files/167684/https://www.zeroscience.mk/codes/carelpco_dir.txthttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.phphttps://packetstormsecurity.com/files/167684/https://www.zeroscience.mk/codes/carelpco_dir.txthttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php
2022-08-31
Published