Login Sign Up

CVE-2022-27336

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-27336 is a remote code execution vulnerability in Seacms v11.6 that allows attackers to execute arbitrary code via the /admin/weixin.php component. This affects all systems running the vulnerable version of Seacms, potentially compromising the entire web server.

💻 Affected Systems

Products:
  • Seacms
Versions: v11.6
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation of Seacms v11.6.

📦 What is this software?

Seacms by Seacms

View all CVEs affecting Seacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install malware, steal data, pivot to internal networks, or use the server for further attacks.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or cryptocurrency mining.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and access controls prevent exploitation.

🌐 Internet-Facing: HIGH - The vulnerable component is accessible via web interface and requires no authentication.
🏢 Internal Only: MEDIUM - Internal systems could be targeted if attackers gain initial access elsewhere.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in Chinese security notes. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v11.7 or later

Vendor Advisory: Not publicly documented by vendor

Restart Required: No

Instructions:

1. Backup your Seacms installation and database. 2. Download the latest version from the official Seacms website. 3. Replace all files except configuration files and uploads. 4. Run any database update scripts if provided.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

all

Restrict access to /admin/weixin.php via web server configuration or firewall rules.

# Apache: RewriteRule ^admin/weixin\.php$ - [F,L]
# Nginx: location ~ ^/admin/weixin\.php$ { deny all; }

Implement WAF rules

all

Add web application firewall rules to block suspicious requests to the vulnerable endpoint.

# ModSecurity: SecRule REQUEST_URI "@streq /admin/weixin.php" "id:1001,phase:1,deny"

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the Seacms server from critical systems.
  • Deploy file integrity monitoring to detect unauthorized changes to web files.

🔍 How to Verify

Check if Vulnerable:

Check if /admin/weixin.php exists and is accessible without authentication. Review Seacms version in admin panel or configuration files.

Check Version:

Check config files or admin panel. For Linux: grep -r 'version' /path/to/seacms/ | grep -i '11.6'

Verify Fix Applied:

Verify the Seacms version is v11.7 or later. Test that /admin/weixin.php is either removed or properly secured.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /admin/weixin.php
  • Web server errors containing PHP execution attempts
  • File creation/modification in web directories

Network Indicators:

  • HTTP requests to /admin/weixin.php with suspicious parameters
  • Outbound connections from web server to unknown IPs

SIEM Query:

source="web_server" AND (uri="/admin/weixin.php" OR uri CONTAINS "weixin.php")

📊 Metadata

CVE ID: CVE-2022-27336
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON