CVE-2022-30037
📋 TL;DR
XunRuiCMS versions 4.3.3 to 4.5.1 contain a vulnerability in the cron.php add function that allows authenticated attackers to write arbitrary PHP files and include CMS PHP files, leading to remote code execution. This affects all systems running vulnerable versions of XunRuiCMS with administrative access. Attackers can execute arbitrary PHP code on the server.
💻 Affected Systems
- XunRuiCMS
📦 What is this software?
Xunruicms by Xunruicms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Website defacement, data theft, or installation of backdoors for persistent access.
If Mitigated
Limited impact if proper access controls and file permissions prevent exploitation.
🎯 Exploit Status
Exploitation requires authenticated administrative access. Public proof-of-concept demonstrates file write and inclusion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.2 or later
Vendor Advisory: https://github.com/xunruicms/xunruicms/releases
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download XunRuiCMS version 4.5.2 or later from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit administrative access to trusted IP addresses only.
# Configure web server to restrict access to admin panel by IP
# Example for Apache: Require ip 192.168.1.0/24
# Example for Nginx: allow 192.168.1.0/24; deny all;
Disable cron.php if Unused
linuxRemove or disable cron.php file if cron functionality is not required.
mv /path/to/cron.php /path/to/cron.php.disabled
# Or set proper permissions: chmod 000 /path/to/cron.php
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable system.
- Deploy a web application firewall (WAF) with rules to block exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check the XunRuiCMS version in the admin panel or by examining the system files. Versions between 4.3.3 and 4.5.1 inclusive are vulnerable.Check Version:
Check the version.php file or admin dashboard for version information.Verify Fix Applied:
Verify the installed version is 4.5.2 or later. Test administrative functions to ensure they work without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in cron.php logs
- Suspicious PHP file creation in web directories
- Multiple failed login attempts followed by successful admin login
Network Indicators:
- HTTP POST requests to cron.php with file write parameters
- Unexpected outbound connections from the web server
SIEM Query:
source="web_server" AND (uri="/cron.php" AND method="POST" AND (param="add" OR param="file"))