CVE-2023-22855
📋 TL;DR
CVE-2023-22855 is a critical remote code execution vulnerability in Kardex Mlog MCC warehouse management software. It allows attackers to upload malicious .t4 template files that get executed by the .NET templating engine, leading to complete system compromise. Organizations using affected versions of Kardex Mlog MCC with the web interface exposed are at risk.
💻 Affected Systems
- Kardex Mlog MCC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal sensitive data, install malware, pivot to other systems, and disrupt warehouse operations.
Likely Case
Remote code execution leading to data theft, ransomware deployment, or system takeover for cryptocurrency mining or botnet participation.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Multiple public exploit scripts are available, including on Exploit-DB and GitHub. The attack requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
Contact Kardex directly for patching guidance. No official patch information is publicly documented in the provided references.
🔧 Temporary Workarounds
Block Port 8088
allBlock access to the vulnerable web interface port using firewall rules
Windows: netsh advfirewall firewall add rule name="Block Mlog MCC" dir=in action=block protocol=TCP localport=8088
Linux: iptables -A INPUT -p tcp --dport 8088 -j DROP
Disable Web Interface
windowsDisable or stop the web service component if not required
Check service configuration in Mlog MCC administration panel or Windows Services
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Mlog MCC systems from untrusted networks
- Deploy web application firewall (WAF) rules to block file inclusion patterns and .t4 file uploads
🔍 How to Verify
Check if Vulnerable:
Check if port 8088 is listening and accessible. Test by attempting to access http://[target]:8088/ and checking for Mlog MCC interface.Check Version:
Check the software version through the Mlog MCC administration interface or installed program details in Windows.Verify Fix Applied:
Verify port 8088 is no longer accessible or that firewall rules are blocking the port. Test with nmap or telnet to confirm.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to port 8088
- .t4 file processing in application logs
- Unexpected process execution from web service
Network Indicators:
- HTTP requests to port 8088 with file upload patterns
- SMB connections initiated by the Mlog MCC service
- Outbound connections from Mlog MCC to unknown IPs
SIEM Query:
source_port:8088 AND (http_method:POST OR file_extension:".t4") OR process_name:"t4" OR cmdline:"mono/t4"🔗 References
- http://packetstormsecurity.com/files/171046/Kardex-Mlog-MCC-5.7.12-0-a203c2a213-master-File-Inclusion-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171689/Kardex-Mlog-MCC-5.7.12-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2023/Feb/10
- https://github.com/patrickhener/CVE-2023-22855/blob/main/advisory/advisory.md
- https://www.exploit-db.com/exploits/51239
- http://packetstormsecurity.com/files/171046/Kardex-Mlog-MCC-5.7.12-0-a203c2a213-master-File-Inclusion-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171689/Kardex-Mlog-MCC-5.7.12-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2023/Feb/10
- https://github.com/patrickhener/CVE-2023-22855/blob/main/advisory/advisory.md
- https://www.exploit-db.com/exploits/51239
