CVE-2022-31749

MEDIUM

WatchGuard Fireware OS <12.8.1-12.5.10 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-31749. PoCs published by jbaines-r7, iveresk.

AI-analyzed exploit summary This exploit leverages a parameter injection vulnerability in WatchGuard's SSH interface to exfiltrate the `configd-hash.xml` file, which contains unsalted MD4 password hashes, to an attacker-controlled FTP server. It uses the built-in low-privileged `status` user for authentication.

Description

An argument injection vulnerability in the diagnose and import pac commands in WatchGuard Fireware OS before 12.8.1, 12.1.4, and 12.5.10 allows an authenticated remote attacker with unprivileged credentials to upload or read files to limited, arbitrary locations on WatchGuard Firebox and XTM appliances

Exploits (2)

nomisec WORKING POC 10 stars

by jbaines-r7 · poc

https://github.com/jbaines-r7/hook

View Code ZIP pw:eip

This exploit leverages a parameter injection vulnerability in WatchGuard's SSH interface to exfiltrate the `configd-hash.xml` file, which contains unsalted MD4 password hashes, to an attacker-controlled FTP server. It uses the built-in low-privileged `status` user for authentication.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: WatchGuard Fireware OS (12.1.3 Update 8 and below)

Auth required

Prerequisites: SSH access to the target with valid credentials (default: `status:readonly`) · Network connectivity to an attacker-controlled FTP server

MITRE ATT&CK

T1040 - Network Sniffing T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by iveresk · poc

https://github.com/iveresk/cve-2022-31749

View Code ZIP pw:eip

This PoC exploits a parameter injection vulnerability in WatchGuard's SSH interface (CVE-2022-31749) to exfiltrate the `configd-hash.xml` file, which contains unsalted MD4 password hashes. It uses the low-privileged `status` user with a default password of `readonly` to perform the attack via SCP.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WatchGuard Fireware

Auth required

Prerequisites: sshpass installed · network access to target · valid credentials for the `status` user

MITRE ATT&CK

T1005 - Data from Local System T1087 - Account Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00019

Third Party Advisory

https://www.rapid7.com/blog/post/2022/06/23/cve-2022-31749-watchguard-authenticated-arbitrary-file-read-write-fixed/

Scores

CVSS v3 6.5

EPSS 0.0121

EPSS Percentile 64.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-88

Status published

Products (4)

WatchGuard/Fireware OS < 12.8.1

WatchGuard/Fireware OS 12.2.x - 12.5.x

WatchGuard/Fireware OS 12.5.10

WatchGuard/Fireware OS 12.x - 12.1.4

Published Jan 28, 2025

Tracked Since Feb 18, 2026