cbcvebase.
CVE-2022-38840
published 2023-04-16

CVE-2022-38840: cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.80%
94.9th percentile
cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.

Affected

1 ranges
VendorProductVersion rangeFixed in
guralpman-eam-0003

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/xmlstatus.cgi
url/cgi-bin/xmlstatus.cgi
  • Detect XXE exploitation attempts against the vulnerable endpoint by monitoring POST requests to /cgi-bin/xmlstatus.cgi with multipart form-data containing XML with external entity declarations (DOCTYPE with SYSTEM referencing local files such as /etc/passwd).
  • Successful exploitation is confirmed when the HTTP 200 response body contains 'root:.*:0:0:' (passwd file content) AND the strings 'XML status', 'Software repository label', and 'xmlstatus.cgi'.
  • Use the Google dork 'webconfig menu.cgi' to identify exposed Güralp MAN-EAM-0003 devices on the internet that may be vulnerable.
  • ·No authentication is required to exploit this vulnerability; the endpoint /cgi-bin/xmlstatus.cgi is accessible without credentials.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.