cbcvebase.
CVE-2022-48323
published 2023-02-13

CVE-2022-48323: Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
56.79%
98.9th percentile
Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker can execute arbitrary programs on the victim host by sending a crafted HTTP request, as demonstrated by /check?cmd=ping../ followed by the pathname of the powershell.exe program.

Affected

1 ranges
VendorProductVersion rangeFixed in
sunloginsunflower

Detection & IOCsextracted from sources · hover to see the quote

url/check?cmd=ping../
url/check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig
path/cgi-bin/rpc
cookieCID=
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check?cmd=ping../"; fast_pattern; startswith; http.cookie; content:"CID="; startswith; reference:url,www.tenable.com/cve/CVE-2022-48323; reference:cve,2022-48323; classtype:attempted-admin; sid:2044205; rev:2; metadata:created_at 2023_02_14, cve CVE_2022_48323, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • The exploit response from stage 1 contains the JSON key 'verify_string' whose value is used as the CID cookie in stage 2. Detect exfiltration of this token as a precursor to RCE.
  • Stage 2 response body contains 'Windows IP' (output of ipconfig via PowerShell), confirming successful RCE. Alert on HTTP responses to /check?cmd= URIs that contain this string.
  • ET rule SID 2044205 (rev:2) fires on GET requests where the URI starts with /check?cmd=ping../ AND the Cookie header starts with CID=. Deploy on Perimeter, Internal, and SSLDecrypt sensors.
  • ·The vulnerable version is specifically 1.0.1.43315; the path traversal payload targets the fixed path to PowerShell (windows/system32/windowspowershell/v1.0/powershell.exe), but any executable reachable via traversal can be invoked.
  • ·The exploit requires no authentication; the CID token is freely obtainable from the /cgi-bin/rpc endpoint without credentials.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.