CVE-2022-45699
published 2023-02-10CVE-2022-45699: Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.60%
99.5th percentile
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apsystems | ecu-r_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:34; content:"/index.php/management/set_timezone"; fast_pattern; http.request_body; content:"timezone|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; reference:cve,2022-45699; classtype:attempted-admin; sid:2057254; rev:1; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_05, cve CVE_2022_45699, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Fingerprint the target by checking for the string 'Altenergy Power Control Software' in the HTTP response body of the root path before attempting exploitation. ↗
- →Exploit traffic is unauthenticated (no session/auth headers required) — a POST to /index.php/management/set_timezone with a timezone parameter containing shell metacharacters (;, newline, backtick, pipe, $) is the attack pattern. ↗
- →The Snort/Suricata rule matches on: POST method + URI bsize exactly 34 bytes (/index.php/management/set_timezone) + request body containing 'timezone=' followed by shell injection metacharacters (;/%3B, newline/%0A, backtick/%60, pipe/%7C, dollar/%24).
- →This CVE has been linked to Mirai botnet variant exploitation in the wild; monitor for subsequent outbound wget/curl callbacks or bot enrollment traffic after a successful injection.
- ·The Snort rule (sid:2057254) specifies tls_state plaintext — it will NOT fire on TLS-encrypted traffic. Ensure the sensor is positioned where plaintext HTTP is visible.
- ·The URI match uses bsize:34 (exact byte-length match on the URI), meaning URL-encoded or path-varied requests may evade this specific rule.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c79x-94g8-gr5h: Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary comman
ghsa_unreviewed·2023-02-10
CVE-2022-45699 [CRITICAL] CWE-77 GHSA-c79x-94g8-gr5h: Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary comman
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
VulnCheck
apsystems ecu-r_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-45699 [CRITICAL] apsystems ecu-r_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
apsystems ecu-r_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
Affected: apsystems ecu-r_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
Suricata
ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699)
suricata·2024-11-05·CVSS 9.8
CVE-2022-45699 [CRITICAL] ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699)
ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:34; content:"/index.php/management/set_timezone"; fast_pattern; http.request_body; content:"timezone|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; reference:cve,2022-45699; classtype:attempted-admin; sid:2057254; rev:1; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_05, cve CVE_2022_45699, deployment Perimeter, deployment Internal, performance
Nuclei
APsystems ECU-R Firmware - Command Injection
nuclei·CVSS 9.8
CVE-2022-45699 [CRITICAL] APsystems ECU-R Firmware - Command Injection
APsystems ECU-R Firmware - Command Injection
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
Template:
id: CVE-2022-45699
info:
name: APsystems ECU-R Firmware - Command Injection
author: pussycat0x
severity: critical
description: |
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
impact: |
Unauthenticated attackers can execute arbitrary commands with root privileges through the timezone parameter in the administration interface, potentially compromising the entire solar power management system and connecte
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
2023-02-10
Published
Exploited in the wild