Login Sign Up

CVE-2022-23878

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-23878 is an arbitrary code execution vulnerability in SeaCMS V11.5's admin_config.php file that allows attackers to execute arbitrary PHP code on the server. This affects all SeaCMS V11.5 installations with the admin panel accessible. Attackers can gain complete control of affected systems.

💻 Affected Systems

Products:
  • SeaCMS
Versions: V11.5
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all SeaCMS V11.5 installations. The admin_config.php file is part of the default installation.

📦 What is this software?

Seacms by Seacms

View all CVEs affecting Seacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Web server compromise leading to data theft, defacement, cryptocurrency mining, or ransomware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and file integrity monitoring are in place.

🌐 Internet-Facing: HIGH - Admin panels are often internet-facing, and the vulnerability requires no authentication.
🏢 Internal Only: MEDIUM - Internal systems could still be compromised via phishing or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in Chinese security blogs. The vulnerability is in admin_config.php which may be accessible without authentication depending on configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V11.6 or later

Vendor Advisory: Unknown - SeaCMS is open source with limited formal vendor support

Restart Required: No

Instructions:

1. Backup your database and files. 2. Download SeaCMS V11.6 or later from the official repository. 3. Replace all files except uploads and configuration files. 4. Verify the admin_config.php file has been updated.

🔧 Temporary Workarounds

Remove admin_config.php

linux

Temporarily remove or rename the vulnerable file to prevent exploitation

mv admin_config.php admin_config.php.bak
rm admin_config.php

Restrict access via .htaccess

all

Block all access to admin_config.php using web server rules

<Files "admin_config.php">
  Order Allow,Deny
  Deny from all
</Files>

🧯 If You Can't Patch

  • Implement strict network access controls to block external access to the admin panel
  • Deploy a web application firewall (WAF) with rules to block RCE attempts and file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check if SeaCMS version is 11.5 and if admin_config.php exists in the installation directory

Check Version:

Check the version.txt file or look for version information in the footer of SeaCMS pages

Verify Fix Applied:

Verify SeaCMS version is 11.6 or later and check admin_config.php for security improvements

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to admin_config.php
  • File upload attempts to admin directories
  • PHP code execution in web logs

Network Indicators:

  • HTTP requests containing PHP code in parameters
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri="*admin_config.php*" OR method="POST" AND uri="*.php" AND (body="*eval(*" OR body="*system(*" OR body="*shell_exec(*"))

📊 Metadata

CVE ID: CVE-2022-23878
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON