Login Sign Up

CVE-2022-32409

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a Local File Inclusion (LFI) vulnerability in Portal do Software Publico Brasileiro i3geo version 7.0.5 that allows attackers to execute arbitrary PHP code via crafted HTTP requests to codemirror.php. The vulnerability affects organizations using this specific version of i3geo software, potentially allowing complete system compromise.

💻 Affected Systems

Products:
  • Portal do Software Publico Brasileiro i3geo
Versions: v7.0.5
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires codemirror.php component to be accessible via HTTP

📦 What is this software?

I3geo by Softwarepublico

View all CVEs affecting I3geo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, or complete server takeover

🟠

Likely Case

Arbitrary code execution leading to web shell installation and lateral movement within the network

🟢

If Mitigated

Limited impact if proper input validation and file inclusion restrictions are implemented

🌐 Internet-Facing: HIGH - Web-accessible component with public exploit available
🏢 Internal Only: MEDIUM - Still significant risk if internal users can access the vulnerable endpoint

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available on GitHub demonstrating exploitation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer versions if available or implementing workarounds.

🔧 Temporary Workarounds

Restrict access to codemirror.php

all

Block or restrict HTTP access to the vulnerable codemirror.php file

# Apache: Add to .htaccess
<Files "codemirror.php">
    Order Deny,Allow
    Deny from all
</Files>
# Nginx: Add to server block
location ~ /codemirror\.php$ {
    deny all;
    return 403;
}

Implement input validation

all

Add strict input validation to prevent file path manipulation

# In codemirror.php, add input validation:
$allowed_files = ['file1.php', 'file2.php'];
if (!in_array($_GET['file'], $allowed_files)) {
    die('Invalid file request');
}

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block LFI patterns
  • Isolate the vulnerable system in a restricted network segment

🔍 How to Verify

Check if Vulnerable:

Check if codemirror.php exists and is accessible via HTTP, and test with known LFI payloads

Check Version:

Check i3geo version in configuration files or admin interface

Verify Fix Applied:

Test that codemirror.php no longer accepts arbitrary file paths or returns 403 when blocked

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to codemirror.php with unusual file parameters
  • Multiple failed attempts to access restricted files

Network Indicators:

  • Unusual outbound connections from web server
  • HTTP requests containing path traversal patterns (../, ..\)

SIEM Query:

source="web_logs" AND uri="*codemirror.php*" AND (param="*../*" OR param="*..\*" OR param="*php://*" OR param="*data://*")

📊 Metadata

CVE ID: CVE-2022-32409
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: July 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32409, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)