cbcvebase.
CVE-2022-46604
published 2023-02-02

CVE-2022-46604: An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file…

PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
8.63%
94.4th percentile
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
apacheactivemq>= 0 < 5.16.1-1ubuntu0.15.16.1-1ubuntu0.1
tecrailresponsive_filemanager<= 9.9.5

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{host}/filemanager/execute.php?action=create_file
urlhttp://{host}/filemanager/dialog.php
urlhttp://{host}/source/shell.php
path/source/shell.php
filenameshell.php
filenameshell.txt
path../thumbs/shell.php
cookiePHPSESSID
command?cmd={command_to_run}
otherFile successfully saved.
  • Detect POST requests to /filemanager/execute.php with the query parameter action=create_file, which is the exploit's file creation endpoint used to plant a PHP webshell disguised as a .txt file.
  • Alert on POST body parameters containing path=shell.php combined with name=shell.txt — this is the extension bypass technique: the file is named .txt but written to a .php path.
  • Monitor for path_thumb values containing directory traversal sequences (e.g., ../thumbs/) in POST requests to the filemanager endpoint.
  • Detect GET requests to /source/shell.php with a ?cmd= query parameter, indicating webshell interaction post-exploitation.
  • Flag creation of any .php file under the /source/ or /thumbs/ directories of the Responsive FileManager installation, as these are not expected upload destinations for PHP files.
  • The server response string 'File successfully saved.' on a create_file action targeting a .php path is a strong indicator of successful webshell implantation.
  • ·The exploit targets Responsive FileManager version 9.9.5 and below. Installations running versions above 9.9.5 are not affected by this specific bypass.
  • ·The webshell filename (shell.php) and path (/source/shell.php) used in the public PoC are defaults and may be trivially changed by an attacker; detection should not rely solely on this specific filename.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.