CVE-2022-42139
published 2022-12-14CVE-2022-42139: Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
18.16%
96.8th percentile
Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deltaww | dvw-w02w2-e2_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable via authenticated HTTP POST parameters on the DVW-W02W2-E2 web server — monitor for anomalous POST requests containing OS command injection payloads (e.g., shell metacharacters) to the device's web interface ↗
- →NVD describes exploitation via a crafted URL — also monitor GET requests with shell metacharacters or command-injection sequences in URL parameters targeting the DVW-W02W2-E2 web interface ↗
- →A public Proof of Concept exists (authored by T. Weber of CyberDanube Security Research) — prioritize detection and patching given active PoC availability ↗
- →Successful exploitation grants root-level OS access — look for unexpected outbound connections, new privileged processes, or serial port command activity originating from the DVW-W02W2-E2 device ↗
- ·NVD attributes the vulnerability to firmware version 1.5.0.10, while the CISA ICS advisory attributes it to version 2.42 — ensure detection and patching scope covers both version references for the DVW-W02W2-E2 ↗
- ·The vulnerability requires only low privileges (authenticated, PR:L) to exploit — do not assume that requiring authentication is a sufficient mitigation; any low-privileged account can be leveraged ↗
- ·The patched firmware version is 2.5.2 — devices running version 2.42 (or 1.5.0.10 per NVD) and below should be considered vulnerable and flagged in asset inventories ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Delta Electronics DVW-W02W2-E2
cisa_ics·2023-02-02·CVSS 8.8
[HIGH] Delta Electronics DVW-W02W2-E2
ICS Advisory
##
Delta Electronics DVW-W02W2-E2
Release DateFebruary 02, 2023
Alert CodeICSA-23-033-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.9
- ATTENTION: Public exploit available/exploitable remotely/low attack complexity
- Vendor: Delta Electronics
- Equipment: DVW-W02W2-E2
- Vulnerabilities: OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a threat actor with low privileges to gain root access to the device, which could then allow them to send malicious commands to managed devices.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of DVW-W02W2-E2, an industrial ethernet router, are affected:
- DVW-W02W2-E2: Version 2.42
## 3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATIO
GHSA
GHSA-cj3w-8mcc-6jj8: Delta Electronics DVW-W02W2-E2 1
ghsa_unreviewed·2022-12-14
CVE-2022-42139 [HIGH] CWE-78 GHSA-cj3w-8mcc-6jj8: Delta Electronics DVW-W02W2-E2 1
Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-14
Published