CVE-2022-36602

An attacker must first authenticate to the miner's web interface, either using the undocumented guest account (guest/guest) or by obtaining a valid JWT [ref_id=1]. Once authenticated, the attacker can send a crafted request to the `setPlatformAPI` function (or the related `checkUrl` endpoint in older firmware) with a payload containing shell metacharacters in the URL parameter. Because the older firmware does not use `escapeshellcmd()` on the ping URL, the unsanitized input is passed directly to `shell_exec()`, allowing arbitrary OS command execution [ref_id=1]. The attack is network-accessible over HTTP/HTTPS on the miner's management interface.

The vulnerable code is in the `setPlatformAPI` function within the InnoSilicon web interface. The researcher's audit references the `/usr/share/factory/www` directory and specifically the `checkUrl` API endpoint, where older firmware versions used an unsanitized shell command: `$ping_cmd = "ping ".$ping_url." -c 5"` [ref_id=1]. The `setPlatformAPI` function is named in the CVE description but the reference write-up does not show its source code.

The patch (present in newer firmware) wraps the ping URL with `escapeshellcmd()`, changing the vulnerable line from `$ping_cmd = "ping ".$ping_url." -c 5"` to `$ping_cmd = escapeshellcmd("ping ".$ping_url." -c 5")` [ref_id=1]. This prevents shell metacharacters from being interpreted as part of the command. The researcher notes that even after this fix, the `checkUrl` function remains commented out in the API router, suggesting the vendor does not fully trust the endpoint [ref_id=1]. No patch for the `setPlatformAPI` function specifically is shown in the bundle.