CVE-2022-35413
CRITICAL EXPLOITED NUCLEIWAPPLES < 6.0.0 - Use of Hard-coded Credentials in Systemi Account
Title source: llmExploitation Summary
CVE-2022-35413 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
WAPPLES through 6.0 has a hardcoded systemi account. A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.
Nuclei Templates (1)
WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials
CRITICALVERIFIEDby For3stCo1d
Shodan:
http.title:"Intelligent WAPPLES" || http.title:"intelligent wapples"
FOFA:
title="intelligent wapples"
References (3)
Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://www.pentasecurity.com/product/wapples/
Patch, Product, Third Party Advisory, Vendor Advisory x_refsource_misc
https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview
Various Sources x_refsource_misc
https://medium.com/%40_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb
Scores
CVSS v3
9.8
EPSS
0.1235
EPSS Percentile
95.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2023-11-13
CWE
CWE-798
Status
published
Products (1)
pentasecurity/wapples
4.0.54.1 - 6.0.0
Published
Sep 13, 2022
Tracked Since
Feb 18, 2026