CVE-2022-39986
📋 TL;DR
CVE-2022-39986 is an unauthenticated command injection vulnerability in RaspAP web interface versions 2.8.0 through 2.8.7. Attackers can execute arbitrary commands on affected systems by sending malicious input to the cfg_id parameter in OpenVPN configuration endpoints. All RaspAP installations within the vulnerable version range are affected.
💻 Affected Systems
- RaspAP (Raspberry Pi Access Point web interface)
📦 What is this software?
Raspap by Raspap
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, pivot to other systems, exfiltrate data, or establish persistent backdoors.
Likely Case
Remote code execution leading to cryptocurrency mining, botnet enrollment, or credential theft from the Raspberry Pi.
If Mitigated
Limited impact if proper network segmentation and least privilege are implemented, though command execution would still be possible.
🎯 Exploit Status
Exploit code is publicly available and trivial to execute. The vulnerability requires no authentication and has simple exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.8 and later
Vendor Advisory: https://github.com/RaspAP/raspap-webgui/security/advisories
Restart Required: No
Instructions:
1. Backup current configuration. 2. Update RaspAP using: sudo apt update && sudo apt upgrade raspap-webgui. 3. Alternatively, manually update from GitHub repository. 4. Verify version is 2.8.8 or higher.
🔧 Temporary Workarounds
Block vulnerable endpoints
linuxUse web server configuration to block access to the vulnerable PHP files
# For Apache: add to .htaccess or virtual host config
<Files "activate_ovpncfg.php">
Order allow,deny
Deny from all
</Files>
<Files "del_ovpncfg.php">
Order allow,deny
Deny from all
</Files>
# For Nginx: add to server block
location ~ /ajax/openvpn/(activate_ovpncfg|del_ovpncfg)\.php$ {
deny all;
return 403;
}
Disable OpenVPN functionality
linuxRemove or disable OpenVPN configuration files if not needed
sudo rm -f /var/www/html/ajax/openvpn/activate_ovpncfg.php
sudo rm -f /var/www/html/ajax/openvpn/del_ovpncfg.php
🧯 If You Can't Patch
- Implement strict network access controls to limit access to RaspAP web interface to trusted IPs only.
- Deploy a web application firewall (WAF) with command injection rules in front of the RaspAP interface.
🔍 How to Verify
Check if Vulnerable:
Check if files /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php exist and examine version in /etc/raspap/version or via web interface.Check Version:
cat /etc/raspap/version 2>/dev/null || grep -r 'version' /var/www/html/includes/ 2>/dev/null | head -1Verify Fix Applied:
Verify version is 2.8.8 or higher and test that command injection attempts no longer work.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /ajax/openvpn/activate_ovpncfg.php or /ajax/openvpn/del_ovpncfg.php with shell metacharacters in parameters
- Suspicious command execution in web server logs with patterns like ;, |, &, $() in URL parameters
- Unexpected processes spawned from web server user (www-data)
Network Indicators:
- HTTP requests containing shell commands in URL parameters
- Outbound connections from Raspberry Pi to suspicious IPs following web requests
SIEM Query:
source="web_access.log" AND (url="/ajax/openvpn/activate_ovpncfg.php" OR url="/ajax/openvpn/del_ovpncfg.php") AND (param="cfg_id" AND value MATCHES "[;&|`$()]+")🔗 References
- http://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.html
- https://github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.php
- https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
- http://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.html
- https://github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.php
- https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
