CVE-2022-50791
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary commands on SOUND4 IMPACT/FIRST/PULSE/Eco systems by sending a single HTTP POST request to the ping.php script. Attackers can create malicious files in the /tmp directory that get executed, then automatically deleted. All users running affected versions are vulnerable to remote code execution.
💻 Affected Systems
- SOUND4 IMPACT
- SOUND4 FIRST
- SOUND4 PULSE
- SOUND4 Eco
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install persistent backdoors, steal sensitive data, pivot to other systems, or deploy ransomware.
Likely Case
Attackers gain shell access to run arbitrary commands, potentially installing cryptocurrency miners, creating backdoors, or using the system as a foothold for lateral movement.
If Mitigated
With proper network segmentation and access controls, impact is limited to the vulnerable system only, preventing lateral movement to other critical assets.
🎯 Exploit Status
Exploit code is publicly available on Packet Storm Security and other sources. The attack requires only basic HTTP knowledge and can be automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.sound4.com/
Restart Required: No
Instructions:
Check vendor website for security updates. If no patch is available, apply workarounds immediately.
🔧 Temporary Workarounds
Remove or Restrict ping.php Access
linuxDelete or rename the vulnerable ping.php script to prevent exploitation
sudo rm /path/to/webroot/ping.php
sudo mv /path/to/webroot/ping.php /path/to/webroot/ping.php.disabled
Web Server Access Control
allConfigure web server to block access to ping.php using .htaccess or equivalent
<Files "ping.php">
Order allow,deny
Deny from all
</Files>
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical networks
- Deploy web application firewall (WAF) rules to block requests to ping.php and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if ping.php exists in web directory and test with curl: curl -X POST http://target/ping.phpCheck Version:
Check system documentation or contact vendor for version informationVerify Fix Applied:
Verify ping.php is removed/renamed and test with curl returns 404 or access denied📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /ping.php
- Unusual process execution from web user context
- File creation in /tmp directory by web server
Network Indicators:
- HTTP POST requests to ping.php endpoint
- Outbound connections from web server to unusual destinations
SIEM Query:
source="web_server" AND (uri="/ping.php" OR uri LIKE "%ping.php%") AND method="POST"🔗 References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247915
- https://packetstormsecurity.com/files/170262/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-ping.php-Command-Injection.html
- https://www.sound4.com/
- https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-conditional-command-injection-via-pingphp
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5735.php
