CVE-2022-40022
published 2023-02-13CVE-2022-40022: Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
92.47%
99.8th percentile
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
Detection & IOCsextracted from sources · hover to see the quote
yara↗
uid=([0-9(a-z)]+)
- →Successful exploitation results in an HTTP 302 redirect response with a body containing 'uid=<digits/letters>' (output of the injected 'id' command). Monitor for 302 responses from /controller/ping.php containing uid= strings. ↗
- →Shodan fingerprint for exposed SyncServer devices: search for html:"Symmetricom SyncServer" to identify internet-facing targets. ↗
- →S100 through S350 models are vulnerable to unauthenticated exploitation due to a session handling vulnerability in addition to the command injection; no credentials are required for those models. ↗
- →Attacker-controlled outbound callback connections will use TCP ports 25 or 80 (server-side egress is restricted). Monitor for unexpected outbound TCP connections on port 25 or 80 from SyncServer devices. ↗
- ·The vulnerability is patched in S650 firmware v2.2. Later (non-EOL) models require authentication for exploitation, which the public Metasploit module does not support. ↗
- ·S100–S350 models are End of Life and vulnerable unauthenticated; S650 and later models require authentication, limiting unauthenticated attack surface on patched/newer hardware. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8vxm-rjvx-9v3r: Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability
ghsa_unreviewed·2023-02-13
CVE-2022-40022 [CRITICAL] CWE-77 GHSA-8vxm-rjvx-9v3r: Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
VulnCheck
microchip syncserver_s650_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-40022 [CRITICAL] microchip syncserver_s650_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
microchip syncserver_s650_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
Affected: microchip syncserver_s650_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-40022; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-40022; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?d
No detection rules found.
Metasploit
Symmetricom SyncServer Unauthenticated Remote Command Execution
metasploit·CVSS 9.8
CVE-2022-40022 [CRITICAL] Symmetricom SyncServer Unauthenticated Remote Command Execution
Symmetricom SyncServer Unauthenticated Remote Command Execution
This module exploits an unauthenticated command injection vulnerability in /controller/ping.php. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability. Later models require authentication which is not provided in this module because we can't test it. The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022). Run 'check' first to determine if vulnerable. The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT and LPORT while testing this module.
Nuclei
Symmetricom SyncServer Unauthenticated - Remote Command Execution
nuclei·CVSS 9.8
CVE-2022-40022 [CRITICAL] Symmetricom SyncServer Unauthenticated - Remote Command Execution
Symmetricom SyncServer Unauthenticated - Remote Command Execution
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
Template:
id: CVE-2022-40022
info:
name: Symmetricom SyncServer Unauthenticated - Remote Command Execution
author: DhiyaneshDK,mielverkerken
severity: critical
description: |
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device.
remediation: |
Apply the latest security patches or firmware updates provided by the vendor to mitigate this vulnerability.
reference:
- http://packetstormsecurity.com/files/172907/Symmetricom-SyncServ
No writeups or analysis indexed.
http://packetstormsecurity.com/files/172907/Symmetricom-SyncServer-Unauthenticated-Remote-Command-Execution.htmlhttps://www.microsemi.com/campaigns/network-time-servers/S650p/%3Fgd%3D1&id=5&gclid=Cj0KCQjwjbyYBhCdARIsAArC6LL-202ej5YfDB5lMIMSZ2735qjo5yaj2i-PrvLv2Cnh_kIJtFJ0oF8aAlMpEALw_wcBhttps://www.microsemi.com/campaigns/network-time-servers/syncserver-s600/?url=https://www.microsemi.com/document-portal/doc_download/135737-datasheet-syncserver-s650https://www.securifera.com/advisories/CVE-2022-40022/http://packetstormsecurity.com/files/172907/Symmetricom-SyncServer-Unauthenticated-Remote-Command-Execution.htmlhttps://www.microsemi.com/campaigns/network-time-servers/S650p/%3Fgd%3D1&id=5&gclid=Cj0KCQjwjbyYBhCdARIsAArC6LL-202ej5YfDB5lMIMSZ2735qjo5yaj2i-PrvLv2Cnh_kIJtFJ0oF8aAlMpEALw_wcBhttps://www.microsemi.com/campaigns/network-time-servers/syncserver-s600/?url=https://www.microsemi.com/document-portal/doc_download/135737-datasheet-syncserver-s650https://www.securifera.com/advisories/CVE-2022-40022/
2023-02-13
Published
Exploited in the wild