cbcvebase.
CVE-2022-39986
published 2023-08-01

CVE-2022-39986: A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.72%
99.9th percentile
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
billzraspap-webgui>= 2.8.0 < 2.8.82.8.8
raspapraspap2.8.0 – 2.8.7

Detection & IOCsextracted from sources · hover to see the quote

path/ajax/openvpn/activate_ovpncfg.php
path/ajax/openvpn/del_ovpncfg.php
commandcfg_id=;id;#
othershodan:http.favicon.hash:-1465760059
otherfofa:icon_hash=-1465760059
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/openvpn/"; content:"_ovpncfg.php"; endswith; http.request_body; content:"cfg_id|3d 3b|"; startswith; fast_pattern; content:"|3b 23|"; endswith; reference:cve,2022-39986; reference:url,www.exploit-db.com/exploits/51676; classtype:attempted-admin; sid:2047675; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_18, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RaspAP Command Injection Attempt (CVE 2022-39986) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/openvpn/"; content:"_ovpncfg.php"; endswith; http.request_body; content:"cfg_id|25|3d|25|3b"; nocase; startswith; fast_pattern; content:"|25|3b|25|23"; nocase; endswith; reference:cve,2022-39986; reference:url,attackerkb.com/topics/rSD5BAQ0qO/cve-2022-39986; classtype:attempted-admin; sid:2047674; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_18, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
  • Exploit targets POST requests to /ajax/openvpn/del_ovpncfg.php or /ajax/openvpn/activate_ovpncfg.php with a malicious cfg_id parameter containing shell metacharacters (semicolons and hash) — no authentication required.
  • Successful exploitation returns command output in the HTTP response body matching the pattern uid=... gid=... groups=... — use this regex to confirm RCE.
  • M2 Snort rule detects raw (non-URL-encoded) injection: POST body starts with cfg_id=; (bytes 3d 3b) and ends with ;# (bytes 3b 23) targeting URIs ending in _ovpncfg.php under /ajax/openvpn/.
  • M1 Snort rule detects URL-encoded injection: POST body starts with cfg_id%3d%3b (bytes 25 3d 25 3b) and ends with %3b%23 (bytes 25 3b 25 23), case-insensitive, targeting the same URI pattern.
  • RaspAP instances can be fingerprinted via favicon hash -1465760059 on Shodan or FOFA for proactive asset discovery and exposure monitoring.
  • ·The vulnerability affects only RaspAP versions 2.8.0 through 2.8.7; versions outside this range are not impacted by this specific injection path.
  • ·The exploit is unauthenticated — no session cookie, token, or credential is required, meaning perimeter controls blocking unauthenticated POST to these endpoints are the primary mitigation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.