CVE-2022-48323
published 2023-02-13CVE-2022-48323: Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
56.79%
98.9th percentile
Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker can execute arbitrary programs on the victim host by sending a crafted HTTP request, as demonstrated by /check?cmd=ping../ followed by the pathname of the powershell.exe program.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sunlogin | sunflower | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig
path/cgi-bin/rpc
cookieCID=
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check?cmd=ping../"; fast_pattern; startswith; http.cookie; content:"CID="; startswith; reference:url,www.tenable.com/cve/CVE-2022-48323; reference:cve,2022-48323; classtype:attempted-admin; sid:2044205; rev:2; metadata:created_at 2023_02_14, cve CVE_2022_48323, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →The exploit response from stage 1 contains the JSON key 'verify_string' whose value is used as the CID cookie in stage 2. Detect exfiltration of this token as a precursor to RCE.
- →Stage 2 response body contains 'Windows IP' (output of ipconfig via PowerShell), confirming successful RCE. Alert on HTTP responses to /check?cmd= URIs that contain this string.
- →ET rule SID 2044205 (rev:2) fires on GET requests where the URI starts with /check?cmd=ping../ AND the Cookie header starts with CID=. Deploy on Perimeter, Internal, and SSLDecrypt sensors.
- ·The vulnerable version is specifically 1.0.1.43315; the path traversal payload targets the fixed path to PowerShell (windows/system32/windowspowershell/v1.0/powershell.exe), but any executable reachable via traversal can be invoked. ↗
- ·The exploit requires no authentication; the CID token is freely obtainable from the /cgi-bin/rpc endpoint without credentials. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mh2m-m37r-927m: Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1
ghsa_unreviewed·2023-02-13
CVE-2022-48323 [CRITICAL] CWE-22 GHSA-mh2m-m37r-927m: Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1
Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker can execute arbitrary programs on the victim host by sending a crafted HTTP request, as demonstrated by /check?cmd=ping../ followed by the pathname of the powershell.exe program.
VulnCheck
sunlogin sunflower Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-48323 [CRITICAL] sunlogin sunflower Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
sunlogin sunflower Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker can execute arbitrary programs on the victim host by sending a crafted HTTP request, as demonstrated by /check?cmd=ping../ followed by the pathname of the powershell.exe program.
Affected: sunlogin sunflower
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://asec.ahnlab.com/en/47088/; https://www.broadcom.com/support/security-center/protection-bulletin/sunloginclient-cve-2022-10270-vulnerability-expl
Suricata
ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323)
suricata·2023-02-14·CVSS 9.8
CVE-2022-48323 [CRITICAL] ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323)
ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check?cmd=ping../"; fast_pattern; startswith; http.cookie; content:"CID="; startswith; reference:url,www.tenable.com/cve/CVE-2022-48323; reference:cve,2022-48323; classtype:attempted-admin; sid:2044205; rev:2; metadata:created_at 2023_02_14, cve CVE_2022_48323, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic
Nuclei
Sunflower Simple and Personal 1.0.1.43315 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-48323 [CRITICAL] Sunflower Simple and Personal 1.0.1.43315 - Remote Code Execution
Sunflower Simple and Personal 1.0.1.43315 - Remote Code Execution
Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker can execute arbitrary programs on the victim host by sending a crafted HTTP request, as demonstrated by /check?cmd=ping../ followed by the pathname of the powershell.exe program.
Template:
id: CVE-2022-48323
info:
name: Sunflower Simple and Personal 1.0.1.43315 - Remote Code Execution
author: daffainfo
severity: critical
description: |
Sunlogin Sunflower Simplified (aka Sunflower Simple and Personal) 1.0.1.43315 is vulnerable to a path traversal issue. A remote and unauthenticated attacker can execute arbitrary programs on the victim host by sending a crafted HTTP re
No writeups or analysis indexed.
https://asec.ahnlab.com/en/47088/https://github.com/projectdiscovery/nuclei-templates/blob/8500efb7c5c52261229bb87b3af8a6e4e5afc877/cnvd/2022/CNVD-2022-03672.yamlhttps://www.cnvd.org.cn/flaw/show/CNVD-2022-03672https://asec.ahnlab.com/en/47088/https://github.com/projectdiscovery/nuclei-templates/blob/8500efb7c5c52261229bb87b3af8a6e4e5afc877/cnvd/2022/CNVD-2022-03672.yamlhttps://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
2023-02-13
Published
Exploited in the wild