cbcvebase.
CVE-2022-40022
published 2023-02-13

CVE-2022-40022: Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
92.47%
99.8th percentile
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.

Detection & IOCsextracted from sources · hover to see the quote

path/controller/ping.php
yara
uid=([0-9(a-z)]+)
  • Successful exploitation results in an HTTP 302 redirect response with a body containing 'uid=<digits/letters>' (output of the injected 'id' command). Monitor for 302 responses from /controller/ping.php containing uid= strings.
  • Shodan fingerprint for exposed SyncServer devices: search for html:"Symmetricom SyncServer" to identify internet-facing targets.
  • S100 through S350 models are vulnerable to unauthenticated exploitation due to a session handling vulnerability in addition to the command injection; no credentials are required for those models.
  • Attacker-controlled outbound callback connections will use TCP ports 25 or 80 (server-side egress is restricted). Monitor for unexpected outbound TCP connections on port 25 or 80 from SyncServer devices.
  • ·The vulnerability is patched in S650 firmware v2.2. Later (non-EOL) models require authentication for exploitation, which the public Metasploit module does not support.
  • ·S100–S350 models are End of Life and vulnerable unauthenticated; S650 and later models require authentication, limiting unauthenticated attack surface on patched/newer hardware.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.