CVE-2022-39986
published 2023-08-01CVE-2022-39986: A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.72%
99.9th percentile
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| billz | raspap-webgui | >= 2.8.0 < 2.8.8 | 2.8.8 |
| raspap | raspap | 2.8.0 – 2.8.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
othershodan:http.favicon.hash:-1465760059
otherfofa:icon_hash=-1465760059
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/openvpn/"; content:"_ovpncfg.php"; endswith; http.request_body; content:"cfg_id|3d 3b|"; startswith; fast_pattern; content:"|3b 23|"; endswith; reference:cve,2022-39986; reference:url,www.exploit-db.com/exploits/51676; classtype:attempted-admin; sid:2047675; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_18, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/openvpn/"; content:"_ovpncfg.php"; endswith; http.request_body; content:"cfg_id|25|3d|25|3b"; nocase; startswith; fast_pattern; content:"|25|3b|25|23"; nocase; endswith; reference:cve,2022-39986; reference:url,attackerkb.com/topics/rSD5BAQ0qO/cve-2022-39986; classtype:attempted-admin; sid:2047674; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_18, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
- →Exploit targets POST requests to /ajax/openvpn/del_ovpncfg.php or /ajax/openvpn/activate_ovpncfg.php with a malicious cfg_id parameter containing shell metacharacters (semicolons and hash) — no authentication required.
- →Successful exploitation returns command output in the HTTP response body matching the pattern uid=... gid=... groups=... — use this regex to confirm RCE.
- →M2 Snort rule detects raw (non-URL-encoded) injection: POST body starts with cfg_id=; (bytes 3d 3b) and ends with ;# (bytes 3b 23) targeting URIs ending in _ovpncfg.php under /ajax/openvpn/.
- →M1 Snort rule detects URL-encoded injection: POST body starts with cfg_id%3d%3b (bytes 25 3d 25 3b) and ends with %3b%23 (bytes 25 3b 25 23), case-insensitive, targeting the same URI pattern.
- →RaspAP instances can be fingerprinted via favicon hash -1465760059 on Shodan or FOFA for proactive asset discovery and exposure monitoring.
- ·The vulnerability affects only RaspAP versions 2.8.0 through 2.8.7; versions outside this range are not impacted by this specific injection path.
- ·The exploit is unauthenticated — no session cookie, token, or credential is required, meaning perimeter controls blocking unauthenticated POST to these endpoints are the primary mitigation.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
RaspAP Command Injection vulnerability
osv·2023-08-01
CVE-2022-39986 [CRITICAL] RaspAP Command Injection vulnerability
RaspAP Command Injection vulnerability
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the `cfg_id` parameter in `/ajax/openvpn/activate_ovpncfg.php` and `/ajax/openvpn/del_ovpncfg.php`.
GHSA
RaspAP Command Injection vulnerability
ghsa·2023-08-01
CVE-2022-39986 [CRITICAL] CWE-77 RaspAP Command Injection vulnerability
RaspAP Command Injection vulnerability
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the `cfg_id` parameter in `/ajax/openvpn/activate_ovpncfg.php` and `/ajax/openvpn/del_ovpncfg.php`.
VulnCheck
raspap raspap Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-39986 [CRITICAL] raspap raspap Improper Neutralization of Special Elements used in a Command ('Command Injection')
raspap raspap Improper Neutralization of Special Elements used in a Command ('Command Injection')
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Affected: raspap raspap
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-39986; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-20&host_type=src&vulnerability=cve-2022-39986; https
Suricata
ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M2
suricata·2023-08-18
CVE-2022-39986 ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M2
ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/openvpn/"; content:"_ovpncfg.php"; endswith; http.request_body; content:"cfg_id|3d 3b|"; startswith; fast_pattern; content:"|3b 23|"; endswith; reference:cve,2022-39986; reference:url,www.exploit-db.com/exploits/51676; classtype:attempted-admin; sid:2047675; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_1
Suricata
ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M1
suricata·2023-08-18
CVE-2022-39986 ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M1
ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/openvpn/"; content:"_ovpncfg.php"; endswith; http.request_body; content:"cfg_id|25|3d|25|3b"; nocase; startswith; fast_pattern; content:"|25|3b|25|23"; nocase; endswith; reference:cve,2022-39986; reference:url,attackerkb.com/topics/rSD5BAQ0qO/cve-2022-39986; classtype:attempted-admin; sid:2047674; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signat
Metasploit
RaspAP Unauthenticated Command Injection
metasploit
RaspAP Unauthenticated Command Injection
RaspAP Unauthenticated Command Injection
RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7.
Nuclei
RaspAP 2.8.7 - Unauthenticated Command Injection
nuclei·CVSS 9.8
CVE-2022-39986 [CRITICAL] RaspAP 2.8.7 - Unauthenticated Command Injection
RaspAP 2.8.7 - Unauthenticated Command Injection
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Template:
id: CVE-2022-39986
info:
name: RaspAP 2.8.7 - Unauthenticated Command Injection
author: DhiyaneshDK
severity: critical
description: |
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
impact: |
Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the
http://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.htmlhttps://github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.phphttps://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2http://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.htmlhttps://github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.phphttps://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
2023-08-01
Published
Exploited in the wild