CVE-2022-33174 Scanner
Detects 'Authorization Bypass' vulnerability in Powertek firmware affects v. before 3.30.30.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 second
Time Interval
1 month
Scan only one
Domain, Ipv4
Toolbox
-
Power Distribution Units (PDUs) are important devices that aid power supply in data centers and server rooms. Powertek firmware is a popular software used by multiple PDU brands to run their devices. The firmware is responsible for managing power distribution, monitoring and controlling power usage in racks, and providing real-time data to administrators. Powertek firmware is favored by many companies because of its flexibility, scalability, and compatibility with different PDU brands.
However, a critical vulnerability, CVE-2022-33174, has been detected in Powertek firmware before version 3.30.30. The vulnerability allows remote authorization bypass in the web interface, and attackers can exploit it by sending an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie value set to an empty string followed by a semicolon. This allows the attacker to bypass the active session authorization check, thereby granting system access to unauthorized users.
When exploited, this vulnerability can give attackers full control over the PDU, allowing them to manipulate power usage in the PDU, disrupt power supply to connected devices, and access critical data stored in the PDU. Exposing devices to potential cyber-attacks could lead to costly damages, including loss of data, business disruption, and reputational damage.
s4e.io is a platform that offers comprehensive security solutions to businesses and individuals. Through its pro features, users can access valuable information about vulnerabilities in their digital assets, get insights about threats to their systems, and learn how to mitigate risks. By subscribing to the platform, users can stay up-to-date on the latest security trends and technologies, and keep their systems protected from emerging cyber threats. Protecting sensitive business data and systems from cyber-attacks is critical, and s4e.io offers the expertise and resources to achieve that.
REFERENCES