CVE-2022-29593
Published: 14 July 2022
Summary
CVE-2022-29593 is a medium-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Dingtian-Tech Dt-R004 Firmware. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-29593 is an authentication bypass vulnerability in the relay_cgi.cgi component of Dingtian DT-R002 2CH relay devices running firmware version 3.1.276A. The flaw, categorized under CWE-294, permits replay of captured HTTP POST requests without requiring valid authentication, signatures, or authorization tokens. It carries a CVSS 3.1 score of 5.9 reflecting network attack vector, high complexity, and high integrity impact with no confidentiality or availability effects.
An unauthenticated attacker with network access can capture legitimate POST requests and replay them to alter device state, such as toggling relays, without possessing credentials or session tokens. The attack succeeds because the firmware does not enforce replay protection or request uniqueness checks on the affected CGI endpoint.
Public advisories and exploit artifacts are available from Trustwave SpiderLabs and Packet Storm, documenting the capture-replay technique against the listed firmware. The associated EPSS score has remained flat at 0.0817 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33925
Vulnerability details
relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Allows detection of capture-replay attacks by showing the replayed logon's timestamp as the last logon.
Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.
Wireless link protections commonly incorporate replay protection, reducing the exploitability of capture-replay weaknesses.
Accurate synchronized time enables tight timestamp windows that directly limit capture-replay windows in authentication protocols.