CVE-2022-45291
Published: 25 April 2023
Summary
CVE-2022-45291 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Pwsdashboard Personal Weather Station Dashboard. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) contains a remote code execution vulnerability that permits injection of arbitrary PHP code into settings.php. The flaw is reachable through the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints and is facilitated by an undocumented hardcoded password of “support” (distinct from the documented setup password 12345). The issue is tracked as CWE-798 and carries a CVSS 3.1 score of 7.2.
An attacker who obtains administrative credentials—facilitated by the hardcoded password—can supply crafted PHP payloads via the affected endpoints and achieve arbitrary code execution on the server, resulting in full compromise of confidentiality, integrity, and availability. The vulnerability was addressed by the vendor in a release issued in late 2022.
The project site at pwsdashboard.com and the detailed analysis at cavefxa.com indicate that users should upgrade to a current, patched version of PWS_Dashboard. The associated EPSS score reached a peak of 0.0564 before receding to its current value of 0.0269; no confirmed in-the-wild exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-48191
Vulnerability details
PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of…
more
support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Planned investment enables secure credential storage and management systems instead of hard-coded credentials.