CVE-2022-28113
Published: 15 April 2022
Summary
CVE-2022-28113 is a high-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Fantec Mwid25-Ds Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An issue in the upload.csp endpoint of FANTEC GmbH MWiD25-DS Firmware version 2.000.030 permits arbitrary file writes and user password resets without requiring a valid session cookie. The vulnerability is tracked as CVE-2022-28113 with a CVSS 3.1 score of 7.2 and is associated with CWE-565. It affects the network-accessible management interface of the specified firmware build.
An attacker who can reach the device and satisfies the high-privilege requirement can exploit the flaw to upload arbitrary files and reset administrative passwords, resulting in full control over confidentiality, integrity, and availability of the device. The current and peak EPSS scores are both 0.0878 with no material increase observed after disclosure.
Public references consist of researcher reports, proof-of-concept code, and supporting materials hosted on GitHub and file-sharing services; none of the listed sources describe vendor patches or official mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32596
Vulnerability details
An issue in upload.csp of FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows attackers to write files and reset the user passwords without having a valid session cookie.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.