cbcvebase.
CVE-2022-37932
published 2022-12-12

CVE-2022-37932: A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.64%
83.7th percentile
A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability could be remotely exploited to allow authentication bypass. HPE has made the following software updates to resolve the vulnerability in Hewlett Packard Enterprise OfficeConnect 1820, 1850 and 1920S Network switches versions: Prior to PT.02.14; Prior to PC.01.22; Prior to PO.01.21; Prior to PD.02.22;

Affected

21 ranges
VendorProductVersion rangeFixed in
hpeofficeconnect_1820_j9979a_firmware< pt.02.14pt.02.14
hpeofficeconnect_1820_j9980a_firmware< pt.02.14pt.02.14
hpeofficeconnect_1820_j9981a_firmware< pt.02.14pt.02.14
hpeofficeconnect_1820_j9982a_firmware< pt.02.14pt.02.14
hpeofficeconnect_1820_j9983a_firmware< pt.02.14pt.02.14
hpeofficeconnect_1820_j9984a_firmware< pt.02.14pt.02.14
hpeofficeconnect_1850_24g_2xgt_firmware< pc.01.22pc.01.22
hpeofficeconnect_1850_24g_2xgt_poe_+_firmware< pc.01.22pc.01.22
hpeofficeconnect_1850_2xgt_spf_+_firmware< po.01.21po.01.21
hpeofficeconnect_1850_48g_4xgt_firmware< pc.01.22pc.01.22
hpeofficeconnect_1850_48g_4xgt_poe_+_firmware< pc.01.22pc.01.22
hpeofficeconnect_1850_6xgt_firmware< po.01.21po.01.21
hpeofficeconnect_1920s_24g_2sfp_firmware< pd.02.22pd.02.22
hpeofficeconnect_1920s_24g_2sfp_poe_+_firmware< pd.02.22pd.02.22
hpeofficeconnect_1920s_24g_2sfp_ppoe_+_firmware< pd.02.22pd.02.22
hpeofficeconnect_1920s_48g_4sfp_firmware< pd.02.22pd.02.22
hpeofficeconnect_1920s_48g_4sfp_ppoe_+_firmware< pd.02.22pd.02.22
hpeofficeconnect_1920s_8g_firmware< pd.02.22pd.02.22
hpeofficeconnect_1920s_8g_ppoe_+_firmware< pd.02.22pd.02.22
linuxlinux_kernel>= 0 < 4.4.0-270.3044.4.0-270.304
linuxlinux_kernel>= 0 < 4.15.0-239.2514.15.0-239.251

Detection & IOCsextracted from sources · hover to see the quote

url/login/default_password_cfg.lua
url/htdocs/login/default_password_cfg.lua
path/login/default_password_cfg.lua
path/htdocs/login/default_password_cfg.lua
commandusername=admin&oldPwd=&newPwd={{password}}&confirmPwd={{password}}
othershodan: html:"HPE OfficeConnect"
  • Detect exploit attempts by monitoring HTTP POST requests to /login/default_password_cfg.lua or /htdocs/login/default_password_cfg.lua with an empty oldPwd field, indicating an unauthenticated password reset attempt.
  • A successful exploitation response returns HTTP 200 with a JSON body containing a 'redirect' key and Content-Type application/json.
  • Fingerprint vulnerable HPE OfficeConnect 1920S devices by checking for the string 'HPE OfficeConnect Switch 1920' in the HTTP response body of the root path.
  • Use Shodan query html:"HPE OfficeConnect" to identify internet-exposed HPE OfficeConnect switches potentially vulnerable to this authentication bypass.
  • ·The vulnerability affects HPE OfficeConnect 1820, 1850, and 1920S switches on firmware versions prior to PT.02.14, PC.01.22, PO.01.21, and PD.02.22 respectively. Devices already patched to these versions are not vulnerable.
  • ·The exploit flow requires an initial GET to the root path to confirm the target is an HPE OfficeConnect Switch 1920 before attempting the password reset POST. The bypass only works when oldPwd is left empty (no prior password set).
  • ·The attack vector is adjacent network (AV:A), meaning the attacker must be on the same network segment or VLAN as the switch management interface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.