cve/2022/CVE-2022-28005.md

CVE-2022-28005

Description

An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482.

POC

Reference

• https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88

Github

No PoCs found on GitHub currently.