CVE-2022-40022

CRITICAL EXPLOITED NUCLEI

Symmetricom SyncServer Unauthenticated Remote Command Execution

Title source: metasploit

Exploitation Summary

CVE-2022-40022 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Steve Campbell, Justin Fatuch Apt4hax, Robert Bronstein, including a Metasploit module exploits/linux/http/symmetricom_syncserver_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command injection vulnerability in Symmetricom SyncServer's /controller/ping.php endpoint (CVE-2022-40022). It uses a backtick-injected payload to download and execute a malicious ELF binary, achieving remote code execution on vulnerable devices.

Description

Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Steve Campbell, Justin Fatuch Apt4hax, Robert Bronstein · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/symmetricom_syncserver_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in Symmetricom SyncServer's /controller/ping.php endpoint (CVE-2022-40022). It uses a backtick-injected payload to download and execute a malicious ELF binary, achieving remote code execution on vulnerable devices.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Symmetricom SyncServer S100 through S350 (EoL), S650 before v2.2

No auth needed

Prerequisites: Network access to the target's HTTP service · Outbound connectivity from target to attacker's HTTP server (ports 25/80 TCP recommended)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Symmetricom SyncServer Unauthenticated - Remote Command Execution

CRITICALVERIFIEDby DhiyaneshDK,mielverkerken

Shodan: html:"Symmetricom SyncServer"

References (5)

Core 5

Core References

Product

https://www.microsemi.com/campaigns/network-time-servers/S650p/%3Fgd%3D1&id=5&gclid=Cj0KCQjwjbyYBhCdARIsAArC6LL-202ej5YfDB5lMIMSZ2735qjo5yaj2i-PrvLv2Cnh_kIJtFJ0oF8aAlMpEALw_wcB

Product

https://www.microsemi.com/campaigns/network-time-servers/syncserver-s600/?url=

Product

https://www.microsemi.com/document-portal/doc_download/135737-datasheet-syncserver-s650

Third Party Advisory

https://www.securifera.com/advisories/CVE-2022-40022/

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/172907/Symmetricom-SyncServer-Unauthenticated-Remote-Command-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9247

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-11-13

CWE

CWE-77

Status published

Products (1)

microchip/syncserver_s650_firmware

Published Feb 13, 2023

Tracked Since Feb 18, 2026