CVE-2022-22832

CRITICAL

Servisnet Tessa 0.0.2 - Unauthenticated Authorization Bypass via User Data Endpoint

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-22832. PoCs published by AkkuS.

AI-analyzed exploit summary This Metasploit module exploits a privilege escalation vulnerability in Servisnet Tessa by leveraging an API endpoint to retrieve user information, including session IDs, and then creating a new admin user with a hardcoded password.

Description

An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request.

Exploits (2)

exploitdb WORKING POC

by AkkuS · rubywebappsmultiple

https://www.exploit-db.com/exploits/50712

View Code ZIP pw:eip

This Metasploit module exploits a privilege escalation vulnerability in Servisnet Tessa by leveraging an API endpoint to retrieve user information, including session IDs, and then creating a new admin user with a hardcoded password.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Servisnet Tessa

Auth required

Prerequisites: Valid low-privilege user credentials · Access to the target application's API endpoints

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by AkkuS · rubywebappsmultiple

https://www.exploit-db.com/exploits/50713

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated MQTT credentials dump vulnerability in Servisnet Tessa by extracting hardcoded credentials from a publicly accessible JavaScript file and attempting to authenticate with the MQTT service.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Servisnet Tessa

No auth needed

Prerequisites: Network access to the target application · Publicly accessible 'app.js' file

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Product x_refsource_misc

http://www.servisnet.com.tr/en/page/products

Exploit, Third Party Advisory x_refsource_misc

https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/50712

Scores

CVSS v3 9.8

EPSS 0.2335

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-639

Status published

Products (1)

servisnet/tessa 0.0.2

Published Feb 06, 2022

Tracked Since Feb 18, 2026