Recently, cybersecurity researchers at VulnCheck revealed that hundreds of internet-exposed SolarView systems on Shodan have been patched against a critical command injection vulnerability.
Experts indicated that both the Mirai botnet hackers and inexperienced individuals have already begun exploiting it, with more expected to join in.
Unit 42 researchers at Palo Alto Networks found that the Mirai botnet is exploiting a command injection vulnerability (CVE-2022-29303) in Contec’s SolarView Series software to spread.
Over 30,000 solar power stations utilize SolarView, and among the critical vulnerabilities, CVE-2022-29303 stands as one of three.
Flaw Profile
- CVE ID: CVE-2022-29303
- Description: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
- CVSS Score: 9.8
- Severity: CRITICAL
SolarView Systems Indexed
Currently, there are over 600 systems indexed by Shodan. SolarView tracks and displays solar power generation and storage for small to medium-scale installations.
Given the indexed public exploits by VulnCheck Exploit Intelligence, experts delved into exploring the potential scope and impact of this exploitation in real-world scenarios.
Besides its introduction on more than 30000 power stations, Contec also highlights the deployment scenarios for:-
- SolarView Air
- SolarView Battery
This shows the hardware’s application in buildings and solar power plants that are commercial in nature.
While one should never come across an internet-accessible Contec SolarView due to its clear focus on ICS networks.
SolarView’s impacted versions include ‘ver.6.00,’ which dates back to 2019, and since then, SolarView Compact has undergone four firmware updates:-
- 6.20 in 2019
- 7.00 in 2021
- 8.00 in 2022
- 8.10 in 2023
It implies that a limited number of exposed hosts are susceptible to the vulnerability. CVE-2022-29303 impacts the conf_mail.php endpoint of the web server, and despite version 6.20 being released after the vulnerable 6.00, it did not address the problem.
Both versions 6.00 and 6.20 were affected, with experts discovering the existence of a simple command injection in conf_mail.php since version 4.00.
Validation was implemented for the attacker-controlled $mail_address variable only in version 8.00 when conf_mail.php was included in the auth require list.
The impact extends beyond what the CVE description suggests, as less than one-third of the internet-exposed SolarView series systems have addressed CVE-2022-29303.
The blog from Unit 42 wasn’t the initial signal of the vulnerability being exploited; since May 2022, an Exploit-DB entry for CVE-2022-29303 has existed.
Other RCEs
The SolarView systems are also impacted by a few additional unauthenticated Remote Code Executions (RCEs), and here they are mentioned below:-
Up to version 8.00, the SolarView series is vulnerable to CVE-2023-23333, and it’s a simple command injection impacting the downloader.php endpoint.
Compact versions 4.0, 5.0, and 6.0 are susceptible to CVE-2022-44354, a file upload vulnerability enabling attackers to upload a PHP web shell onto the system.
Since the SolarView series primarily serve as a monitoring system, the worst-case scenario would likely involve a loss of visibility.
The exploitation’s impact can vary significantly depending on the network integration of the SolarView hardware, potentially resulting in substantial consequences.
It is crucial for organizations to monitor their public IP space and stay updated on public exploits targeting their essential systems.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
