CVE-2022-35413

CRITICAL EXPLOITED NUCLEI

Pentasecurity Wapples < 6.0.0 - Hard-coded Credentials

Title source: rule

Description

WAPPLES through 6.0 has a hardcoded systemi account. A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.

Nuclei Templates (1)

WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials

CRITICALVERIFIEDby For3stCo1d

Shodan: http.title:"Intelligent WAPPLES" || http.title:"intelligent wapples"

FOFA: title="intelligent wapples"

References (3)

[Product, Vendor Advisory] https://www.pentasecurity.com/product/wapples/

[Patch, Product, Third Party Advisory, Vendor Advisory] https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview

[Various Sources] https://medium.com/%40_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb

Scores

CVSS v3 9.8

EPSS 0.8597

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-13

CWE

CWE-798

Status published

Products (1)

pentasecurity/wapples 4.0.54.1 - 6.0.0

Published Sep 13, 2022

Tracked Since Feb 18, 2026