CVE-2022-35857
📋 TL;DR
CVE-2022-35857 is a critical remote code execution vulnerability in kvf-admin that allows attackers to execute arbitrary code on affected systems. The vulnerability exists due to insecure deserialization of the rememberMe parameter encrypted with a hardcoded key. Any organization running vulnerable versions of kvf-admin is affected.
💻 Affected Systems
- kvf-admin
📦 What is this software?
Kvf Admin by Kvf Admin Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, or pivot to other systems in the network.
Likely Case
Remote code execution leading to data theft, system takeover, and potential lateral movement within the network.
If Mitigated
Attackers cannot execute arbitrary code but may still attempt other attack vectors; proper controls limit damage to isolated systems.
🎯 Exploit Status
Exploitation is straightforward due to the hardcoded key and public proof-of-concept code available in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2022-02-12
Vendor Advisory: https://github.com/kalvinGit/kvf-admin/issues/16
Restart Required: Yes
Instructions:
1. Upgrade kvf-admin to version after 2022-02-12. 2. Replace the hardcoded encryption key with a secure, unique key. 3. Restart the application server.
🔧 Temporary Workarounds
Disable rememberMe functionality
allTemporarily disable the vulnerable rememberMe feature to prevent exploitation
Modify application configuration to set shiro.rememberMe.enabled=false
Web Application Firewall rule
allBlock requests containing rememberMe parameter patterns
Configure WAF to block requests with rememberMe parameter containing serialized data patterns
🧯 If You Can't Patch
- Isolate affected systems from internet access and restrict network connectivity
- Implement strict network segmentation and monitor for unusual rememberMe parameter usage
🔍 How to Verify
Check if Vulnerable:
Check if kvf-admin version is 2022-02-12 or earlier and examine ShiroConfig for hardcoded encryption keyCheck Version:
Check application version in web interface or configuration filesVerify Fix Applied:
Verify kvf-admin version is after 2022-02-12 and confirm encryption key has been changed from default📡 Detection & Monitoring
Log Indicators:
- Unusual rememberMe parameter values in HTTP requests
- Multiple failed authentication attempts followed by successful rememberMe usage
- Java deserialization errors in application logs
Network Indicators:
- HTTP POST requests with rememberMe parameter containing encoded/serialized data
- Unusual outbound connections from application server
SIEM Query:
source="web_logs" AND rememberMe="*" AND (status=200 OR status=302)