Login Sign Up

CVE-2022-28118

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-28118 is a critical remote code execution vulnerability in SiteServer CMS v7.x that allows attackers to execute arbitrary code by uploading a malicious plugin. This affects all organizations using vulnerable versions of SiteServer CMS, potentially compromising entire web servers and their data.

💻 Affected Systems

Products:
  • SiteServer CMS
Versions: v7.x
Operating Systems: All platforms running SiteServer CMS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with plugin upload functionality enabled are vulnerable. The vulnerability requires attacker access to upload plugins.

📦 What is this software?

Siteserver Cms by Sscms

View all CVEs affecting Siteserver Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover, data theft, ransomware deployment, and lateral movement to other systems in the network.

🟠

Likely Case

Website defacement, data exfiltration, backdoor installation for persistent access, and credential harvesting.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and strict file upload controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication/access to upload plugins. Public proof-of-concept code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version beyond v7.x

Vendor Advisory: https://github.com/siteserver/cms/issues/3386

Restart Required: Yes

Instructions:

1. Backup current installation and database. 2. Download latest SiteServer CMS version. 3. Replace all files with new version. 4. Restart web server. 5. Verify functionality.

🔧 Temporary Workarounds

Disable Plugin Uploads

all

Temporarily disable plugin upload functionality until patching can be completed

Modify SiteServer CMS configuration to remove plugin upload permissions

Implement File Upload Restrictions

all

Configure web server to block upload of executable files and validate all uploaded content

Configure web application firewall rules to block suspicious file uploads

🧯 If You Can't Patch

  • Isolate SiteServer CMS instance in separate network segment with strict egress filtering
  • Implement application allowlisting to prevent execution of unauthorized plugins

🔍 How to Verify

Check if Vulnerable:

Check SiteServer CMS version in admin panel or by examining version files in installation directory

Check Version:

Check /admin/panel or examine web.config/version.txt files in SiteServer installation

Verify Fix Applied:

Verify version is updated beyond v7.x and test plugin upload functionality with safe test files

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin uploads, unexpected file creation in plugin directories, execution of suspicious processes

Network Indicators:

  • Outbound connections from web server to unknown IPs, unusual traffic patterns from CMS server

SIEM Query:

source="webserver" AND (event="plugin_upload" OR file_extension="dll,exe,php,asp")

📊 Metadata

CVE ID: CVE-2022-28118
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON