CVE-2022-31137 CRITICAL

CVE-2022-31137: Unauthenticated Remote Code Execution in Roxy-WI

Vendor Hap-Wi

Product roxy-wi

Weakness CWE-78

Published July 8, 2022

Last update April 22, 2025

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

July 8, 2022 CVE published

April 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-31137 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2022-31137: Unauthenticated Remote Code Execution in Roxy-WI

01Description

02Disclosure timeline

03References

04Related CVE