cbcvebase.
CVE-2023-22855
published 2023-02-15

CVE-2023-22855: Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.83%
96.3th percentile
Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.

Affected

1 ranges
VendorProductVersion rangeFixed in
kardexkardex_control_center

Detection & IOCsextracted from sources · hover to see the quote

port8088
url/\Windows\win.ini
filenameexploit.t4
path\\<lhost>\SHARE\exploit.t4
port445
version5.7.12+0-a203c2a213-master
  • Detect path traversal / UNC path injection in HTTP requests to port 8088: look for requests containing backslash sequences (e.g., `\\<host>\`) or UNC paths in the URL path component targeting the Kardex MCC web interface.
  • Alert on HTTP GET requests to port 8088 containing `\Windows\win.ini` in the URL path — this is the probe/LFI check used by the exploit to confirm vulnerability.
  • Alert on HTTP GET requests to port 8088 where the URL path contains a UNC path pattern (`\\<ip>\<share>\*.t4`), indicating attempted remote .t4 template inclusion for RCE via the mono/t4 engine.
  • Monitor for outbound SMB (port 445) connections originating from the Kardex MCC host to external/attacker-controlled IPs, which would indicate successful UNC path coercion and remote file inclusion.
  • Detect the exploit's characteristic HTTP header `Accept-Encoding: deflate` (without gzip or other encodings) in requests to port 8088, as this is hardcoded in both the probe and trigger functions of the public exploit.
  • Monitor for creation of files named `exploit.t4` on SMB shares or in directories accessible by the Kardex MCC service, as this is the payload filename used by the public exploit.
  • Detect PowerShell reverse shell execution spawned by the Kardex MCC process: look for `System.Net.Sockets.TCPClient` instantiation or base64-encoded PowerShell commands (`-EncodedCommand`) launched as child processes of the MCC service.
  • ·The vulnerable version is specifically `5.7.12+0-a203c2a213-master`; detections should be scoped to hosts running this exact build of Kardex Mlog MCC.
  • ·The web interface listens on non-standard port 8088; ensure network monitoring and WAF/IDS rules are applied to this port, not just 80/443.
  • ·The exploit was tested on Windows Server 2016; SMB coercion and UNC path inclusion behavior may differ on other OS versions or with SMB signing enforced.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.