Cyber Resilience

CVE-2022-45291

HighPublic PoC

Published: 25 April 2023

Published
25 April 2023
Modified
04 February 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0269 86.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-45291 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Pwsdashboard Personal Weather Station Dashboard. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) contains a remote code execution vulnerability that permits injection of arbitrary PHP code into settings.php. The flaw is reachable through the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints and is facilitated by an undocumented hardcoded password of “support” (distinct from the documented setup password 12345). The issue is tracked as CWE-798 and carries a CVSS 3.1 score of 7.2.

An attacker who obtains administrative credentials—facilitated by the hardcoded password—can supply crafted PHP payloads via the affected endpoints and achieve arbitrary code execution on the server, resulting in full compromise of confidentiality, integrity, and availability. The vulnerability was addressed by the vendor in a release issued in late 2022.

The project site at pwsdashboard.com and the detailed analysis at cavefxa.com indicate that users should upgrade to a current, patched version of PWS_Dashboard. The associated EPSS score reached a peak of 0.0564 before receding to its current value of 0.0269; no confirmed in-the-wild exploitation has been reported.

EU & UK References

Vulnerability details

PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of…

more

support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pwsdashboard
personal weather station dashboard
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

addresses: CWE-798

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

addresses: CWE-798

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798

Planned investment enables secure credential storage and management systems instead of hard-coded credentials.

References