CVE-2022-47703 – The TIANJIE CPE906-3 device has a vulnerability... (How to Fix)

Q: What is the severity of CVE-2022-47703?

CVE-2022-47703 has a CVSS score of 7.5 (HIGH). The TIANJIE CPE906-3 device has a vulnerability that allows unauthenticated attackers to retrieve administrative passwords. This affects devices running specific firmware and hardware versions, potentially compromising network security for organizations using these devices.

📋 TL;DR

The TIANJIE CPE906-3 device has a vulnerability that allows unauthenticated attackers to retrieve administrative passwords. This affects devices running specific firmware and hardware versions, potentially compromising network security for organizations using these devices.

💻 Affected Systems

Products:

TIANJIE CPE906-3

Versions: Software Version WEB5.0_LCD_20200513, Firmware Version MV8.003, Hardware Version CPF906-V5.0_LCD_20200513

Operating Systems: Embedded system

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability appears to be present in the default configuration of affected versions.

📦 What is this software?

Cpe906 3 by Tianjie

View all CVEs affecting Cpe906 3 →

Cpe906 3 Firmware by Tianjie

View all CVEs affecting Cpe906 3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control of the device, allowing them to reconfigure network settings, intercept traffic, or use the device as an entry point into the network.

🟠

Likely Case

Attackers obtain administrative credentials and use them to modify device configurations, potentially disrupting network services or enabling further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to the compromised device only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit requires no authentication and appears to be simple to execute based on available documentation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact vendor for updated firmware or consider replacing affected devices.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices from untrusted networks and limit access to management interfaces.

Access Control Lists

all

Implement firewall rules to restrict access to device management interfaces to authorized IP addresses only.

🧯 If You Can't Patch

Remove affected devices from internet-facing positions immediately
Implement strict network segmentation and monitor all traffic to/from affected devices

🔍 How to Verify

Check if Vulnerable:

Check device version information in web interface or via console. If running affected versions, assume vulnerable.

Check Version:

Check device web interface or console for version information

Verify Fix Applied:

No official fix available to verify. Monitor for vendor updates.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to password-related endpoints
Unusual configuration changes

Network Indicators:

Unauthenticated HTTP requests to device management interface from unexpected sources

SIEM Query:

source_ip NOT IN authorized_management_ips AND dest_port=80 AND uri_contains='password'

📊 Metadata

CVE ID: CVE-2022-47703

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-306

Published: February 16, 2023

Last Updated: March 18, 2025

🔗 References

https://github.com/OlivierLaflamme/cve/blob/main/TIANJIE/CPE906-3/unauth_password_disclosure.md Exploit,Third Party Advisory
https://github.com/OlivierLaflamme/cve/blob/main/TIANJIE/CPE906-3/unauth_password_disclosure.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47703, you might also want to check these: