CVE-2023-22855
published 2023-02-15CVE-2023-22855: Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.83%
96.3th percentile
Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kardex | kardex_control_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal / UNC path injection in HTTP requests to port 8088: look for requests containing backslash sequences (e.g., `\\<host>\`) or UNC paths in the URL path component targeting the Kardex MCC web interface. ↗
- →Alert on HTTP GET requests to port 8088 containing `\Windows\win.ini` in the URL path — this is the probe/LFI check used by the exploit to confirm vulnerability. ↗
- →Alert on HTTP GET requests to port 8088 where the URL path contains a UNC path pattern (`\\<ip>\<share>\*.t4`), indicating attempted remote .t4 template inclusion for RCE via the mono/t4 engine. ↗
- →Monitor for outbound SMB (port 445) connections originating from the Kardex MCC host to external/attacker-controlled IPs, which would indicate successful UNC path coercion and remote file inclusion. ↗
- →Detect the exploit's characteristic HTTP header `Accept-Encoding: deflate` (without gzip or other encodings) in requests to port 8088, as this is hardcoded in both the probe and trigger functions of the public exploit. ↗
- →Monitor for creation of files named `exploit.t4` on SMB shares or in directories accessible by the Kardex MCC service, as this is the payload filename used by the public exploit. ↗
- →Detect PowerShell reverse shell execution spawned by the Kardex MCC process: look for `System.Net.Sockets.TCPClient` instantiation or base64-encoded PowerShell commands (`-EncodedCommand`) launched as child processes of the MCC service. ↗
- ·The vulnerable version is specifically `5.7.12+0-a203c2a213-master`; detections should be scoped to hosts running this exact build of Kardex Mlog MCC. ↗
- ·The web interface listens on non-standard port 8088; ensure network monitoring and WAF/IDS rules are applied to this port, not just 80/443. ↗
- ·The exploit was tested on Windows Server 2016; SMB coercion and UNC path inclusion behavior may differ on other OS versions or with SMB signing enforced. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171046/Kardex-Mlog-MCC-5.7.12-0-a203c2a213-master-File-Inclusion-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171689/Kardex-Mlog-MCC-5.7.12-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Feb/10https://github.com/patrickhener/CVE-2023-22855/blob/main/advisory/advisory.mdhttps://www.exploit-db.com/exploits/51239http://packetstormsecurity.com/files/171046/Kardex-Mlog-MCC-5.7.12-0-a203c2a213-master-File-Inclusion-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171689/Kardex-Mlog-MCC-5.7.12-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Feb/10https://github.com/patrickhener/CVE-2023-22855/blob/main/advisory/advisory.mdhttps://www.exploit-db.com/exploits/51239
2023-02-15
Published