Cyber Resilience

CVE-2022-31137

CriticalPublic PoCRCE

Published: 08 July 2022

Published
08 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9397 99.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31137 is a critical-severity OS Command Injection (CWE-78) vulnerability in Roxy-Wi Roxy-Wi. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Roxy-WI is a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.1.1.0 contain a remote code execution vulnerability caused by missing input validation in the subprocess_execute function within /app/options.py, which directly passes user-supplied data to system commands and corresponds to CWE-78.

Unauthenticated attackers with network access can exploit the flaw remotely to execute arbitrary operating-system commands. The CVSS 3.1 score of 10.0 reflects the absence of required authentication, privileges, or user interaction combined with full confidentiality, integrity, and availability impact under a changed scope.

Public references include multiple PacketStorm exploit files demonstrating remote command execution against versions 6.1.0.0 and earlier, along with the corrective commit that addresses the issue. The project advisory states that users should upgrade to 6.1.1.0 or later, as no workarounds are known. The associated EPSS score remains consistently high, with a current value of 0.9397 and a peak of 0.9498.

EU & UK References

Vulnerability details

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received…

more

from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

roxy-wi
roxy-wi
≤ 6.1.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References