External risk intelligence

Weaver E-office allows attackers to upload malicious files and take control of systems.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2022-50993

Weaver E-office has a critical flaw allowing anyone to upload malicious files, potentially taking full control of your systems remotely without needing a password.

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2022-50993

Weaver E-office is a web-based office automation platform. Enterprise collaboration software of this type is frequently deployed in internet-facing configurations to facilitate remote access for employees, making the web application, specifically the OfficeServer.php endpoint, directly reachable via the public internet in common deployment patterns.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows unauthenticated attackers to upload and execute malicious files on affected Weaver E-office systems. This could lead to full compromise of the web server.

  • Remote code execution is possible.
  • Business operations could be disrupted.
  • Attacks can be performed over the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by uploading a webshell to the server. This allows them to execute arbitrary code as the web server user, leading to full system compromise.

  • Remote attackers can abuse this.
  • Target is the OfficeServer.php endpoint.
  • Upload webshells to Document directory.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to upload webshells, enabling remote code execution on internet-facing Weaver E-office servers. Exploitation was observed in late 2022, indicating a clear threat to systems running unpatched versions.

  • Observed exploitation in 2022.
  • No public exploit availability noted.
  • No KEV listing signal.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize investigating Weaver E-office instances for the unauthenticated arbitrary file upload vulnerability, as exploitation evidence has been observed. Given the critical severity and observed exploitation, consider isolating affected services if immediate patching is not feasible.

  • Block multipart POST requests to OfficeServer.php.
  • Monitor for webshell execution via HTTP GET requests.
  • Update Weaver E-office to version 10.0_20221201 or later.

Frequently asked questions

What is Weaver E-office and what is it used for?

Weaver E-office is a web-based office automation platform designed for enterprise collaboration. It is used by organizations to manage various business processes and facilitate teamwork among employees.

What type of vulnerability does CVE-2022-50993 represent?

CVE-2022-50993 is an unauthenticated arbitrary file upload vulnerability. This weakness, classified as CWE-434, allows attackers to upload malicious files to the affected system without needing any credentials.

How can an attacker exploit this Weaver E-office vulnerability?

An attacker can exploit this by sending specially crafted multipart POST requests to the OfficeServer.php endpoint. These requests disguise malicious file uploads, such as webshells, which can then be executed via HTTP GET requests. The vulnerability is not triggered if these specific request types are not sent.

Who should be concerned about CVE-2022-50993?

Organizations running Weaver E-office should be concerned, especially if the software is internet-facing. This is because Weaver E-office is often deployed to allow remote employee access, making the vulnerable endpoint accessible from the public internet.

What is the first step to address this vulnerability in Weaver E-office?

The initial step is to investigate Weaver E-office instances for the unauthenticated arbitrary file upload vulnerability. If immediate patching is not possible, consider isolating the affected services to mitigate risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished