CVE-2022-45030

HIGH

rConfig 3.9.7 - SQL Injection via Command Parameter in ajaxCompareGetCmdDates

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-45030. PoCs published by azhen.

AI-analyzed exploit summary This exploit demonstrates an authenticated SQL injection vulnerability in rConfig v3.9.7 and earlier. It extracts the database name by leveraging a time-based blind SQLi technique via the 'deviceId' parameter in the 'ajaxCompareGetCmdDates.php' endpoint.

Description

A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv).

Exploits (1)

exploitdb WORKING POC
by azhen · pythonwebappsphp
https://www.exploit-db.com/exploits/51163

This exploit demonstrates an authenticated SQL injection vulnerability in rConfig v3.9.7 and earlier. It extracts the database name by leveraging a time-based blind SQLi technique via the 'deviceId' parameter in the 'ajaxCompareGetCmdDates.php' endpoint.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: rConfig <= v3.9.7
Auth required
Prerequisites: Valid credentials for rConfig (default: admin/admin) · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0268
EPSS Percentile 83.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
rconfig/rconfig 3.9.7
Published Apr 15, 2023
Tracked Since Feb 18, 2026