CVE-2022-39986

CRITICAL EXPLOITED NUCLEI

raspap 2.8.0-2.8.7 - Unauthenticated Command Injection via cfg_id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-39986 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including mind2hex, tucommenceapousser, including a Metasploit module exploits/unix/http/raspap_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-39986, targeting RaspAP versions 2.8.0 to 2.8.7. It includes a Bash script for scanning and exploiting vulnerable instances, along with a PHP reverse shell payload for remote code execution.

Description

A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.

Exploits (3)

nomisec WORKING POC
by mind2hex · remote
https://github.com/mind2hex/CVE-2022-39986-RaspAP-2.8.0-2.8.7-RCE

This repository contains a functional exploit for CVE-2022-39986, targeting RaspAP versions 2.8.0 to 2.8.7. It includes a Bash script for scanning and exploiting vulnerable instances, along with a PHP reverse shell payload for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RaspAP 2.8.0-2.8.7
No auth needed
Prerequisites: Shodan API key · ngrok · jq · python · terminator
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by tucommenceapousser · remote
https://github.com/tucommenceapousser/RaspAP-CVE-2022-39986-PoC

The repository contains a functional Python script that exploits CVE-2022-39986, an unauthenticated remote code execution vulnerability in RaspAP versions 2.8.0 to 2.8.6. The exploit sends a crafted POST request to the `/ajax/openvpn/del_ovpncfg.php` endpoint with a command injection payload in the `cfg_id` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: RaspAP versions 2.8.0 to 2.8.6
No auth needed
Prerequisites: Network access to the target RaspAP instance · Target running a vulnerable version of RaspAP (2.8.0 to 2.8.6)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/raspap_rce.rb

This Metasploit module exploits an unauthenticated command injection vulnerability in RaspAP versions 2.8.0 through 2.8.7 via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. It allows arbitrary command execution in the context of the user running RaspAP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: RaspAP 2.8.0 to 2.8.7
No auth needed
Prerequisites: Network access to the target · RaspAP web interface exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

RaspAP 2.8.7 - Unauthenticated Command Injection
CRITICALVERIFIEDby DhiyaneshDK
Shodan: http.favicon.hash:-1465760059
FOFA: icon_hash=-1465760059

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9306
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2023-11-13
CWE
CWE-77
Status published
Products (2)
billz/raspap-webgui 2.8.0 - 2.8.8Packagist
raspap/raspap 2.8.0 - 2.8.7
Published Aug 01, 2023
Tracked Since Feb 18, 2026