{"vulnerability": "CVE-2022-26377", "sightings": [{"uuid": "bd2f997a-796b-479a-a088-e9b53f9107aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26377", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-133-01", "content": "", "creation_timestamp": "2025-05-13T10:00:00.000000Z"}, {"uuid": "ad35ab3a-0b1c-4a96-9ca0-873c869a50b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26377", "type": "published-proof-of-concept", "source": "https://t.me/cKure/12735", "content": "\u25a0\u25a0\u25a0\u25a1\u25a1 IBM QRadar - When The Attacker Controls Your Security Stack (CVE-2022-26377).\n\nhttps://labs.watchtowr.com/ibm-qradar-when-the-attacker-controls-your-security-stack/", "creation_timestamp": "2024-04-16T19:51:40.000000Z"}, {"uuid": "a952369e-3e63-42fc-990d-c716ace9bcad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26377", "type": "published-proof-of-concept", "source": "https://t.me/cKure/11842", "content": "\u25a0\u25a0\u25a0\u25a0\u25a0 Zero-Day: CVE-2023-46747 (Score 9.8); an unauthenticated remote code execution vulnerability via a side-channel from the management interface (Traffic Management User Interface (TMUI) and is closely related to CVE-2022-26377 which is a HTTP request smuggling vulnerability).\n\nF5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution by running arbitrary commands. This only affects the control plane and not the data plane.\n\nApparently, at the management console; sending requests to the \u201cbackend\u201d service that assumes the \u201cfrontend\u201d handled authentication is leading to this issue using HRS.\n\nTrack this issue at: http://ckure.esy.es/archives/13495\n\nhttps://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/\n\nhttps://my.f5.com/manage/s/article/K000137353\n\nhttps://thehackernews.com/2023/10/f5-issues-warning-big-ip-vulnerability.html", "creation_timestamp": "2023-10-27T19:50:20.000000Z"}, {"uuid": "d025192d-94e2-4290-be97-93d5825f68ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26377", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/192", "content": "Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747\n\n\ud83d\udc64 by Michael Weber and Thomas Hendrickson\n\nAs a result of the research researchers were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like they recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue. In this blog authors will discuss their methodology for identifying the vulnerability, walk through the underlying issues that caused the bug, and explain the steps they took to turn the request smuggling into a critical risk issue. They will conclude with remediation steps and their thoughts on the overall process.\n\n\ud83d\udcdd Contents:\n\u25cf Overview\n\u25cf Mapping out the F5 BIG-IP Attack Surface\n\u25cf F5 Traffic Management User Interface (TMUI) Overview\n\u25cf Verifying AJP Smuggling\n\u25cf AJP Smuggling and Server Interpretation\n\u25cf But What To Do With the Smuggling?\n\u25cf Remediation\n\u25cf Conclusion\n\u25cf Disclosure Timeline\n\nhttps://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "creation_timestamp": "2023-10-27T05:50:12.000000Z"}, {"uuid": "6f05b3bb-5e3d-4c8e-a075-b6d92af7c868", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26377", "type": "seen", "source": "Telegram/Hf_SunJuoYNf_bsQCJ20cuXyI7bzH8EMEXzusn30k3vpXeQ", "content": "", "creation_timestamp": "2024-10-15T10:14:15.000000Z"}, {"uuid": "f5ddfac3-f5f4-4ded-ade3-e5518e09b6c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26377", "type": "seen", "source": "https://t.me/true_secator/5640", "content": "\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 WatchTowr \u0437\u0430\u0434\u0430\u044e\u0442\u0441\u044f \u0432\u043e\u043f\u0440\u043e\u0441\u043e\u043c, \u043f\u043e\u0447\u0435\u043c\u0443 \u0438\u043d\u0434\u0443\u0441\u0442\u0440\u0438\u044f \u043f\u0430\u043d\u0438\u043a\u0443\u0435\u0442 \u043f\u043e \u043f\u043e\u0432\u043e\u0434\u0443 \u0431\u044d\u043a\u0434\u043e\u0440\u0430 \u0432 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430\u0445, \u0432 \u0442\u043e \u0432\u0440\u0435\u043c\u044f \u043a\u0430\u043a \u043f\u043e\u0441\u0442\u0430\u0432\u0449\u0438\u043a\u0438 \u0440\u0435\u0448\u0435\u043d\u0438\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043d\u0435 \u043c\u043e\u0433\u0443\u0442 \u0434\u0430\u0436\u0435 \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0435 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0432 \u0441\u0432\u043e\u0438\u0445\u00a0\u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430\u0445, \u0434\u043e\u043f\u0443\u0441\u043a\u0430\u044f \u0442\u0440\u0438\u0432\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044e.\n\n\u0412 \u043e\u0431\u0449\u0435\u043c, \u043e\u0431\u0440\u0443\u0448\u0438\u043b\u0438\u0441\u044c \u0441 \u043a\u0440\u0438\u0442\u0438\u043a\u043e\u0439 \u043d\u0430 IBM, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043d\u0435 \u043e\u0431\u043d\u043e\u0432\u043b\u044f\u043b\u0430 \u0441\u0432\u043e\u0439 \u0444\u043b\u0430\u0433\u043c\u0430\u043d\u0441\u043a\u0438\u0439 \u043f\u0440\u043e\u0434\u0443\u043a\u0442, \u043c\u043e\u0436\u043d\u043e \u0441\u043a\u0430\u0437\u0430\u0442\u044c, \u0436\u0435\u043c\u0447\u0443\u0436\u0438\u043d\u0443 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 \u0438 \u0441\u0435\u0440\u0434\u0446\u0435 \u0441\u0442\u0435\u043a\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043c\u043d\u043e\u0433\u0438\u0445 \u0435\u0435 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432, - QRadar SIEM.\n\n\u041e\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u043c \u0434\u043b\u044f \u0434\u0430\u0432\u043d\u0435\u0439 \u043e\u0448\u0438\u0431\u043a\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 Apache (CVE-2022-26377, CVSS: 7,3), \u043f\u043e\u0441\u0442\u0430\u0432\u0449\u0438\u043a \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u043b \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0438\u0442\u044c \u043d\u0430 \u0441\u0435\u0431\u044f \u0441\u0435\u0430\u043d\u0441 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438 \u0432\u0437\u044f\u0442\u044c \u043f\u043e\u0434 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440 QRadar SIEM \u0432 \u043e\u0434\u043d\u043e\u043c \u0437\u0430\u043f\u0440\u043e\u0441\u0435.\n\n\u041f\u043e\u0441\u0442\u0430\u0432\u0449\u0438\u043a\u0430, \u0431\u0435\u0437\u0443\u0441\u043b\u043e\u0432\u043d\u043e, \u0443\u0432\u0435\u0434\u043e\u043c\u0438\u043b\u0438 \u0438 \u0431\u044b\u043b\u0438 \u0432\u044b\u043f\u0443\u0449\u0435\u043d\u044b \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f, \u043d\u043e \u043d\u0435\u043f\u0440\u0438\u044f\u0442\u043d\u044b\u0439 \u043e\u0441\u0430\u0434\u043e\u0447\u0435\u043a \u043e\u0441\u0442\u0430\u043b\u0441\u044f.", "creation_timestamp": "2024-04-15T18:30:05.000000Z"}, {"uuid": "15a7e4e8-29fb-4c74-a0f7-168d2f730d7d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26377", "type": "seen", "source": "https://t.me/CyberSecurityTechnologies/6376", "content": "#exploit\n1. CVE-2022-30308, CVE-2022-30309, CVE-2022-30310, CVE-2022-30311:\nFESTO: CECC-X-M1 - Command Injection Vulnerabilities\nhttps://onekey.com/blog/advisory-festo-cecc-x-m1-command-injection-vulnerabilities\n\n2. CVE-2022-26377:\nApache HTTPd AJP Request Smuggling\nhttp://noahblog.360.cn/apache-httpd-ajp-request-smuggling", "creation_timestamp": "2022-07-11T12:37:51.000000Z"}]}