CVE-2022-31137
Published: 08 July 2022
Summary
CVE-2022-31137 is a critical-severity OS Command Injection (CWE-78) vulnerability in Roxy-Wi Roxy-Wi. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Roxy-WI is a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.1.1.0 contain a remote code execution vulnerability caused by missing input validation in the subprocess_execute function within /app/options.py, which directly passes user-supplied data to system commands and corresponds to CWE-78.
Unauthenticated attackers with network access can exploit the flaw remotely to execute arbitrary operating-system commands. The CVSS 3.1 score of 10.0 reflects the absence of required authentication, privileges, or user interaction combined with full confidentiality, integrity, and availability impact under a changed scope.
Public references include multiple PacketStorm exploit files demonstrating remote command execution against versions 6.1.0.0 and earlier, along with the corrective commit that addresses the issue. The project advisory states that users should upgrade to 6.1.1.0 or later, as no workarounds are known. The associated EPSS score remains consistently high, with a current value of 0.9397 and a peak of 0.9498.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52765
Vulnerability details
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received…
more
from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.