Just lately, cybersecurity researchers at VulnCheck revealed that lots of of internet-exposed SolarView programs on Shodan have been patched towards a crucial command injection vulnerability.
Consultants indicated that each the Mirai botnet hackers and inexperienced people have already begun exploiting it, with extra anticipated to affix in.
.png
)
Unit 42 researchers at Palo Alto Networks discovered that the Mirai botnet is exploiting a command injection vulnerability (CVE-2022-29303) in Contec’s SolarView Collection software program to unfold.
Over 30,000 solar energy stations make the most of SolarView, and among the many crucial vulnerabilities, CVE-2022-29303 stands as considered one of three.
Flaw Profile
- CVE ID: CVE-2022-29303
- Description: SolarView Compact ver.6.00 was found to comprise a command injection vulnerability through conf_mail.php.
- CVSS Rating: 9.8
- Severity: CRITICAL
SolarView Methods Listed
At the moment, there are over 600 programs listed by Shodan. SolarView tracks and shows solar energy era and storage for small to medium-scale installations.
Given the listed public exploits by VulnCheck Exploit Intelligence, specialists delved into exploring the potential scope and affect of this exploitation in real-world situations.
In addition to its introduction on greater than 30000 energy stations, Contec additionally highlights the deployment situations for:-
- SolarView Air
- SolarView Battery
This exhibits the {hardware}’s utility in buildings and solar energy vegetation which might be industrial in nature.
Whereas one ought to by no means come throughout an internet-accessible Contec SolarView as a consequence of its clear concentrate on ICS networks.
SolarView’s impacted variations embrace ‘ver.6.00,’ which dates again to 2019, and since then, SolarView Compact has undergone 4 firmware updates:-
- 6.20 in 2019
- 7.00 in 2021
- 8.00 in 2022
- 8.10 in 2023
It implies {that a} restricted variety of uncovered hosts are prone to the vulnerability. CVE-2022-29303 impacts the conf_mail.php endpoint of the net server, and regardless of model 6.20 being launched after the weak 6.00, it didn’t handle the issue.
Each variations 6.00 and 6.20 have been affected, with specialists discovering the existence of a easy command injection in conf_mail.php since model 4.00.
Validation was carried out for the attacker-controlled $mail_address variable solely in model 8.00 when conf_mail.php was included within the auth require listing.
The affect extends past what the CVE description suggests, as lower than one-third of the internet-exposed SolarView collection programs have addressed CVE-2022-29303.
The weblog from Unit 42 wasn’t the preliminary sign of the vulnerability being exploited; since Could 2022, an Exploit-DB entry for CVE-2022-29303 has existed.
Different RCEs
The SolarView programs are additionally impacted by a couple of further unauthenticated Distant Code Executions (RCEs), and right here they’re talked about under:-
As much as model 8.00, the SolarView collection is weak to CVE-2023-23333, and it’s a easy command injection impacting the downloader.php endpoint.
Compact variations 4.0, 5.0, and 6.0 are prone to CVE-2022-44354, a file add vulnerability enabling attackers to add a PHP net shell onto the system.
Because the SolarView collection primarily function a monitoring system, the worst-case state of affairs would doubtless contain a lack of visibility.
The exploitation’s affect can differ considerably relying on the community integration of the SolarView {hardware}, probably leading to substantial penalties.
It’s essential for organizations to observe their public IP area and keep up to date on public exploits focusing on their important programs.
“AI-based electronic mail safety measures Defend your corporation From Electronic mail Threats!” – Request a Free Demo.