CVE-2022-24637

CRITICAL NUCLEI LAB

Open Web Analytics <1.7.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2022-24637. PoCs published by Jacob Ebben, hupe1980, Lay0us, including Metasploit module exploits/multi/http/open_web_analytics_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages CVE-2022-24637 to achieve unauthenticated RCE in Open Web Analytics (OWA) versions <1.7.4. It abuses password reset functionality and log file manipulation to write a PHP reverse shell to the target system.

Description

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

Exploits (9)

exploitdb WORKING POC
by Jacob Ebben · pythonwebappsphp
https://www.exploit-db.com/exploits/51026

This exploit leverages CVE-2022-24637 to achieve unauthenticated RCE in Open Web Analytics (OWA) versions <1.7.4. It abuses password reset functionality and log file manipulation to write a PHP reverse shell to the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics <1.7.4
No auth needed
Prerequisites: Target must be running vulnerable OWA version · Attacker must have network access to target · PHP must be able to execute shell commands
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by hupe1980 · poc
https://github.com/hupe1980/CVE-2022-24637

This is a functional exploit for CVE-2022-24637, an unauthenticated RCE vulnerability in Open Web Analytics (OWA) before 1.7.4. It chains authentication bypass, password reset, and log file manipulation to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics (OWA) before 1.7.4
No auth needed
Prerequisites: Target must be running vulnerable OWA version · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by Lay0us · poc
https://github.com/Lay0us/CVE-2022-24637

This exploit targets an unauthenticated RCE vulnerability in Open Web Analytics (OWA) 1.7.3 by leveraging password reset and log file manipulation to achieve remote code execution via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics (OWA) 1.7.3
No auth needed
Prerequisites: Target must be running OWA 1.7.3 · Attacker must have network access to the target · Attacker must have a listener set up for the reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by Pflegusch · poc
https://github.com/Pflegusch/CVE-2022-24637

This repository contains a working Metasploit module for CVE-2022-24637, which exploits an authentication bypass and RCE vulnerability in Open Web Analytics (OWA) before 1.7.4. The exploit leverages improperly handled PHP files in the cache directory to obtain sensitive user information and gain admin privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics (OWA) before 1.7.4
No auth needed
Prerequisites: Network access to the target OWA instance · Docker for vulnerable environment setup (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by icebreack · poc
https://github.com/icebreack/CVE-2022-24637

This is a functional exploit for CVE-2022-24637, targeting Open Web Analytics (OWA) versions <1.7.4. It leverages unauthenticated cache manipulation to reset a user's password, then achieves RCE by uploading a PHP reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics <1.7.4
No auth needed
Prerequisites: Target URL · Attacker IP and port for reverse shell · Valid username (default: admin)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by 0xM4hm0ud · poc
https://github.com/0xM4hm0ud/CVE-2022-24637

This exploit automates CVE-2022-24637, an unauthenticated RCE in Open Web Analytics <1.7.4. It changes the admin password, then injects a PHP reverse shell into the log path via configuration settings.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics <1.7.4
No auth needed
Prerequisites: Target must be running vulnerable Open Web Analytics · Attacker must have network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xRyuk · poc
https://github.com/0xRyuk/CVE-2022-24637

This repository contains a functional exploit for CVE-2022-24637, targeting Open Web Analytics 1.7.3. The exploit leverages unauthenticated RCE by manipulating cache files and includes a reverse shell payload for post-exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics <1.7.4
No auth needed
Prerequisites: Target running vulnerable Open Web Analytics version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by JacobEbben · poc
https://github.com/JacobEbben/CVE-2022-24637

This is a functional exploit for CVE-2022-24637, an unauthenticated RCE vulnerability in Open Web Analytics (OWA) <1.7.4. It leverages password reset and cache manipulation to achieve remote code execution via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics (OWA) <1.7.4
No auth needed
Prerequisites: Target URL · Attacker IP and port for reverse shell · Valid username (default: admin)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Jacob Ebben, Dennis Pfleger · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/open_web_analytics_rce.rb

This Metasploit module exploits CVE-2022-24637 in Open Web Analytics (OWA) before 1.7.4, leveraging improper handling of PHP files with '<?php ' to obtain sensitive user information, change passwords, and achieve remote code execution via log file manipulation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Open Web Analytics (OWA) < 1.7.4
No auth needed
Prerequisites: Target must be running Open Web Analytics < 1.7.4 · Access to the web interface · Valid username to exploit (default: 'admin')
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Open Web Analytics 1.7.3 - Remote Code Execution
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: cpe:"cpe:2.3:a:openwebanalytics:open_web_analytics"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9331
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull ghcr.io/pflegusch/owa-rce:1.7.3
+5 more repos

Details

CWE
CWE-269
Status published
Products (2)
open-web-analytics/open-web-analytics 0 - 1.7.4Packagist
openwebanalytics/open_web_analytics < 1.7.4
Published Mar 18, 2022
Tracked Since Feb 18, 2026