CVE-2022-24112

CRITICAL KEV NUCLEI LAB

APISIX Admin API default access token RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-24112 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 25, 2022. EIP tracks 13 public exploits from researchers including Ven3xy, Mr-xn, M4xSec, including a Metasploit module exploits/multi/http/apache_apisix_api_default_token_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages CVE-2022-24112 in Apache APISIX to achieve remote code execution by injecting a malicious Lua function into the `filter_func` parameter of a route configuration. The payload establishes a reverse shell to the attacker's specified host and port.

Description

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Exploits (13)

exploitdb WORKING POC
by Ven3xy · pythonremotemultiple
https://www.exploit-db.com/exploits/50829

This exploit leverages CVE-2022-24112 in Apache APISIX to achieve remote code execution by injecting a malicious Lua function into the `filter_func` parameter of a route configuration. The payload establishes a reverse shell to the attacker's specified host and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX 1.3 – 2.12.1
Auth required
Prerequisites: Valid API key (default: edd1c9f034335f136f87ad84b625c8f1) · Network access to the target APISIX instance · Listener set up on attacker's machine for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 44 stars
by Mr-xn · remote
https://github.com/Mr-xn/CVE-2022-24112

This repository provides a writeup and nuclei template for CVE-2022-24112, an RCE vulnerability in Apache APISIX's batch-requests plugin. The exploit leverages unauthorized access to execute malicious scripts or filter functions, similar to CVE-2021-45232.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX (version not specified)
No auth needed
Prerequisites: Access to the target APISIX instance · Ability to send crafted HTTP requests with specific headers and body parameters
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by M4xSec · poc
https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112

This exploit leverages CVE-2022-24112 in Apache APISIX by abusing the batch-requests plugin to bypass IP restrictions and execute arbitrary commands via a crafted route configuration. The PoC sends a reverse shell payload to the target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX (versions before 2.10.4 or 2.12.1)
Auth required
Prerequisites: Default or known API key · Admin API accessible · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 9 stars
by twseptian · remote
https://github.com/twseptian/cve-2022-24112

This repository contains a working proof-of-concept exploit for CVE-2022-24112, an RCE vulnerability in Apache APISIX versions prior to 2.12.1. The exploit leverages the `filter_func` parameter to execute arbitrary commands, resulting in a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache APISIX < 2.12.1
Auth required
Prerequisites: Network access to the APISIX admin interface · Valid API key for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 8 stars
by SecNN · poc
https://github.com/SecNN/CVE-2022-24112

This PoC exploits CVE-2022-24112, an RCE vulnerability in Apache APISIX via batch-requests. It sends a crafted payload to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX (versions affected by CVE-2022-24112)
No auth needed
Prerequisites: Target URL list in 'url.txt' · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by Mah1ndra · poc
https://github.com/Mah1ndra/CVE-2022-24112

This Go-based exploit leverages CVE-2022-24112 to achieve RCE in Apache APISIX by registering a malicious route with a Lua script via the batch-requests plugin. It uses a race condition to bypass admin key validation and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Apache APISIX (versions affected by CVE-2022-24112)
No auth needed
Prerequisites: Network access to the APISIX admin interface · Batch-requests plugin enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by Acczdy · remote
https://github.com/Acczdy/CVE-2022-24112_POC

This repository contains two Python-based PoC exploits for CVE-2022-24112, targeting Apache APISIX versions 1.3 to 2.12.1. The exploits leverage the batch-requests plugin to bypass Admin API IP restrictions and achieve remote code execution via a crafted filter_func payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX 1.3 – 2.12.1
No auth needed
Prerequisites: Network access to the target Apache APISIX instance · Listener set up on attacker's machine for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by kavishkagihan · poc
https://github.com/kavishkagihan/CVE-2022-24112-POC

This PoC exploits CVE-2022-24112 in Apache APISIX by bypassing IP restrictions and using the default admin API token to achieve remote code execution via a crafted batch request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX 1.3 – 2.12.1
Auth required
Prerequisites: Target running vulnerable Apache APISIX version · Default admin API token (edd1c9f034335f136f87ad84b625c8f1) · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by btar1gan · poc
https://github.com/btar1gan/exploit_CVE-2022-24112

This PoC exploits CVE-2022-24112, a vulnerability in Apache APISIX, by injecting a malicious Lua filter function to achieve remote code execution (RCE). The exploit consists of two scripts: the first creates a malicious route, and the second triggers the payload to establish a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX (versions prior to 2.12.1)
Auth required
Prerequisites: Network access to the target APISIX instance · Valid API key (X-API-KEY) · Outbound connectivity for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by fatkz · remote
https://github.com/fatkz/CVE-2022-24112

This is a functional Python PoC for CVE-2022-24112, exploiting a Lua code injection vulnerability in Apache APISIX 2.12.x via the `filter_func` field in the admin API. It injects a malicious route that executes arbitrary system commands via `io.popen` and returns the output.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX 2.12.0 and 2.12.1
Auth required
Prerequisites: Network access to the admin API · Valid API key (default key used in PoC)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by CrackerCat · poc
https://github.com/CrackerCat/CVE-2022-24112

This PoC exploits CVE-2022-24112, an RCE vulnerability in Apache APISIX via the batch-requests endpoint. It sends a crafted base64-encoded payload to execute arbitrary commands, demonstrated with a DNS callback.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX (versions affected by CVE-2022-24112)
No auth needed
Prerequisites: Network access to the target APISIX instance · Batch-requests endpoint enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_apisix_api_default_token_rce.rb

This Metasploit module exploits CVE-2022-24112, leveraging the default API token in Apache APISIX to achieve remote code execution via the script parameter. It also bypasses IP restrictions using batch requests.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache APISIX (versions 2.x)
Auth required
Prerequisites: Default API token (edd1c9f034335f136f87ad84b625c8f1) · Access to admin API endpoints
devstral-2 · analyzed Apr 30, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/Mah1ndra/CVE-2022-244112

This repository contains a functional Go-based exploit for CVE-2022-24112, leveraging the batch-request plugin in Apache APISIX to register an admin route with a malicious Lua script for remote code execution. The exploit uses a race condition to bypass authentication and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Apache APISIX (versions affected by CVE-2022-24112)
No auth needed
Prerequisites: Network access to the APISIX admin interface · Default admin key (edd1c9f034335f136f87ad84b625c8f1) or knowledge of the admin key
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Apache APISIX - Remote Code Execution
CRITICALby Mr-xn
Shodan: title:"Apache APISIX Dashboard" || http.title:"apache apisix dashboard"
FOFA: title="Apache APISIX Dashboard" || title="apache apisix dashboard"

References (5)

Core 5
Core References
Mailing List, Mitigation, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94
Mailing List, Mitigation, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/02/11/3
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html

Scores

CVSS v3 9.8
EPSS 0.9444
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull openresty/openresty:1.19.3.1-alpine-fat
docker pull api7/apisix-base:1.19.9.1.3
docker pull openresty/openresty:1.19.3.2-alpine-fat
docker pull bitnami/etcd:3.4.9
docker pull apache/apisix-dashboard:2.10.1-alpine
+4 more images
+9 more repos

Details

CISA KEV 2022-08-25
VulnCheck KEV 2022-08-19
InTheWild.io 2022-08-25
ENISA EUVD EUVD-2022-29024
CWE
CWE-290
Status published
Products (1)
apache/apisix < 2.10.4
Published Feb 11, 2022
KEV Added Aug 25, 2022
Tracked Since Feb 18, 2026