CVE-2022-40881
published 2022-11-17CVE-2022-40881: SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
29.45%
97.9th percentile
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contec | solarview_compact_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /network_test.php containing newline-encoded payloads (%0a) in the 'host' parameter, which is the injection vector for CVE-2022-40881.
- →Use Shodan favicon hash -244067125 to identify exposed SolarView Compact devices on the internet for asset discovery and prioritization.
- →GreyNoise began observing active exploitation attempts tagged as 'SolarView Compact 6 CVE-2022-40881 RCE Attempt' starting 2023-07-18, indicating mass internet scanning activity. ↗
- →The injection payload uses ${IFS} as a space substitute (e.g., cat${IFS}/etc/passwd) to bypass simple input filtering; look for this pattern in POST body parameters.
- ·The Nuclei template targets unauthenticated POST requests (PR:N), meaning no credentials are required to exploit the vulnerability; detection should not be limited to authenticated sessions.
- ·The EPSS score of 0.93672 (99.846th percentile) indicates extremely high likelihood of exploitation in the wild; this CVE should be treated as actively exploited.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wx3r-88rg-whxq: SolarView Compact 6
ghsa_unreviewed·2022-11-17
CVE-2022-40881 [CRITICAL] CWE-77 GHSA-wx3r-88rg-whxq: SolarView Compact 6
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
VulnCheck
contec solarview_compact Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-40881 [CRITICAL] contec solarview_compact Improper Neutralization of Special Elements used in a Command ('Command Injection')
contec solarview_compact Improper Neutralization of Special Elements used in a Command ('Command Injection')
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
Affected: contec solarview_compact
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-40881; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-16&host_type=src&vulnerability=cve-2022-40881; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-01&host_type=sr
No detection rules found.
Nuclei
SolarView 6.00 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2022-40881 [CRITICAL] SolarView 6.00 - Remote Command Execution
SolarView 6.00 - Remote Command Execution
SolarView Compact 6.00 is vulnerable to a command injection via network_test.php.
Template:
id: CVE-2022-40881
info:
name: SolarView 6.00 - Remote Command Execution
author: For3stCo1d
severity: critical
description: |
SolarView Compact 6.00 is vulnerable to a command injection via network_test.php.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
remediation: |
Apply the latest patch or upgrade to a non-vulnerable version of SolarView.
reference:
- https://github.com/Timorlover/SolarView_Compact_6.0_rce_via_network_test.php
- https://github.com/advisories/GHSA-wx3r-88rg-whxq
- https://nvd.nist.gov/vuln/detail/CVE-2022-40881
- https://github.com/KayCHENvip/vulnerabilit
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round-Up: Product Updates
blogs_greynoiseio
GreyNoise Round-Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-11-17
Published
Exploited in the wild