Vulnerability Details : CVE-2022-28005
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482.
Vulnerability category: Directory traversalExecute code
Products affected by CVE-2022-28005
- cpe:2.3:a:3cx:3cx:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-28005
2.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-28005
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-28005
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-28005
-
https://www.3cx.com/blog/releases/v18-update-3-final/
3CX V18 Update 3 Final is now available to downloadRelease Notes;Vendor Advisory
-
https://www.3cx.com/blog/change-log/phone-system-change-log/
3CX Build History / Change LogRelease Notes;Vendor Advisory
-
https://www.3cx.com/blog/releases/v18-security-hotfix/
New security and memory Hotfix now available for V18 Update 3 | 3CXRelease Notes;Vendor Advisory
-
https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88
Pwning 3CX Phone Management Backends from the Internet | by frycos | Medium
Jump to