SolarView Compact Command Injection Vulnerability - 20230714001

Overview

SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server.

What is the threat?

The exploit works due to the vulnerability in SolarView Compact confi_mail.php component, which fails to adequately sanitize the user-supplied input data, leading to command injection.

What is the vulnerability ?

CVE-2022-40881, CVE-2022-29303 - Known to be exploited.

What is vulnerable ?

SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php.

What has been observed ?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

Due to Known Exploitation, the WA SOC recommends remediating these vulnerabilities within the next two weeks.

Reference

• Industrial Control Systems hardware vulnerability exploited in the wild: Download