Cyber Resilience

CVE-2022-29303

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 12 May 2022

Published
12 May 2022
Modified
03 November 2025
KEV Added
13 July 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9437 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29303 is a critical-severity OS Command Injection (CWE-78) vulnerability in Contec Sv-Cpt-Mc310 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

SolarView Compact version 6.00 contains a command injection vulnerability in conf_mail.php that is tracked as CVE-2022-29303. The flaw is classified under CWE-78 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction that can result in full confidentiality, integrity, and availability impact.

Unauthenticated remote attackers can supply crafted input to the affected PHP component and execute arbitrary operating-system commands on the underlying host. Successful exploitation grants the attacker the ability to run code with the privileges of the web application, enabling complete system compromise.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog and is accompanied by public exploit code on Packet Storm, indicating confirmed in-the-wild use. Its EPSS score has reached a peak of 0.9691 with a current value of 0.9437, underscoring sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.

CWE(s)
KEV Date Added
13 July 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

contec
sv-cpt-mc310 firmware
6.00

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all input to conf_mail.php so that attacker-supplied strings cannot be passed directly to operating-system commands.

prevent

Enforces authentication and authorization checks before any request to conf_mail.php is processed, blocking the unauthenticated remote access path used by the exploit.

prevent

Mandates prompt application of vendor patches or configuration changes that eliminate the command-injection flaw in SolarView Compact 6.00.

References