CVE-2022-38840
published 2023-04-16CVE-2022-38840: cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.80%
94.9th percentile
cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| guralp | man-eam-0003 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XXE exploitation attempts against the vulnerable endpoint by monitoring POST requests to /cgi-bin/xmlstatus.cgi with multipart form-data containing XML with external entity declarations (DOCTYPE with SYSTEM referencing local files such as /etc/passwd). ↗
- →Successful exploitation is confirmed when the HTTP 200 response body contains 'root:.*:0:0:' (passwd file content) AND the strings 'XML status', 'Software repository label', and 'xmlstatus.cgi'. ↗
- →Use the Google dork 'webconfig menu.cgi' to identify exposed Güralp MAN-EAM-0003 devices on the internet that may be vulnerable. ↗
- ·No authentication is required to exploit this vulnerability; the endpoint /cgi-bin/xmlstatus.cgi is accessible without credentials. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gjg3-8mx2-7f8f: cgi-bin/xmlstatus
ghsa_unreviewed·2023-07-06
CVE-2022-38840 [HIGH] CWE-611 GHSA-gjg3-8mx2-7f8f: cgi-bin/xmlstatus
cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
VulnCheck
guralp man-eam-0003 Improper Restriction of XML External Entity Reference
vulncheck·2022·CVSS 7.5
CVE-2022-38840 [HIGH] guralp man-eam-0003 Improper Restriction of XML External Entity Reference
guralp man-eam-0003 Improper Restriction of XML External Entity Reference
cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
Affected: guralp man-eam-0003
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-21&host_type=src&vulnerability=cve-2022-38840; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-09-25&host_type=src&vulnerability=cve-2022-38840; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-
No detection rules found.
Exploit-DB
MAN-EAM-0003 V3.2.4 - XXE
exploitdb·2023-03-23·CVSS 7.5
CVE-2022-38840 [HIGH] MAN-EAM-0003 V3.2.4 - XXE
MAN-EAM-0003 V3.2.4 - XXE
---
# Exploit Title: MAN-EAM-0003 V3.2.4 - XXE
# Date: 2022-09-19
# Exploit Author: Ahmed Alroky
# Author: http://guralp.com/
# Version: 3.2.4
# Authentication Required: NO
# CVE : CVE-2022-38840
# Google dork: " webconfig menu.cgi "
# Tested on: Windows
# Exploit
1 - browse to http:// name>/cgi-bin/xmlstatus.cgi
2 - click on "View saved XML snapshot" and upload XML exploit file or paste the exploit code and submit the form
3 - you will get /etc/passwd file content
#XML exploit code
```
]>
false
platinum
102
running
GPS
FLL
46196
true
2022-06-14T11:26:53Z
6.1e-08
running
never
4.6%
-0.3%
-0.3%
running
never
running
never
11374055
331
1567
0
16
5
7338920142
213600
gdi2gcf[default]
gdi-link-tx[default]
gdi2miniseed[default]
das-in
das-
Nuclei
Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE)
nuclei·CVSS 7.5
CVE-2022-38840 [HIGH] Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE)
Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE)
cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
Template:
id: CVE-2022-38840
info:
name: Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE)
author: daffainfo
severity: high
description: |
cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
impact: |
Unauthenticated attackers can exploit XXE vulnerabilities in the xmlstatus.cgi component to read arbitrary files from the seismic monitoring system, potentially accessing sensitive configuration data and system credentials.
remediation: |
Update Güralp MAN-EAM-0003
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171439/MAN-EAM-0003-3.2.4-XML-Injection.htmlhttps://drive.google.com/drive/folders/1UG5IcL8fFp9MV0vjd78_cx6iXKda5bpM?usp=sharinghttp://packetstormsecurity.com/files/171439/MAN-EAM-0003-3.2.4-XML-Injection.htmlhttps://drive.google.com/drive/folders/1UG5IcL8fFp9MV0vjd78_cx6iXKda5bpM?usp=sharing
2023-04-16
Published
Exploited in the wild