CVE-2022-22845

CRITICAL

QXIP SIPCAPTURE homer-app < 1.4.28 - Use of Hard-coded JWT Secret Key

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-22845. PoCs published by OmriBaso.

AI-analyzed exploit summary This exploit generates a JWT token with admin privileges using a hardcoded secret key to bypass authentication in QXIP SIPCAPTURE Homer-App. It then uses this token to access the admin API endpoint and dump user information.

Description

QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations.

Exploits (1)

nomisec WORKING POC 2 stars
by OmriBaso · poc
https://github.com/OmriBaso/CVE-2022-22845-Exploit

This exploit generates a JWT token with admin privileges using a hardcoded secret key to bypass authentication in QXIP SIPCAPTURE Homer-App. It then uses this token to access the admin API endpoint and dump user information.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: QXIP SIPCAPTURE Homer-App up to 1.4.27
No auth needed
Prerequisites: Network access to the target application · Python environment with 'jwt' and 'requests' libraries
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory x_refsource_misc
http://sipcapture.org
Patch, Third Party Advisory x_refsource_misc
https://github.com/sipcapture/homer-app/compare/1.4.27...1.4.28

Scores

CVSS v3 9.8
EPSS 0.0381
EPSS Percentile 88.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-798
Status published
Products (1)
qxip/homer_webapp < 1.4.28
Published Jan 10, 2022
Tracked Since Feb 18, 2026