CVE-2023-22855 Overview
CVE-2023-22855 is a critical remote code execution vulnerability affecting Kardex Mlog MCC 5.7.12+0-a203c2a213-master. The vulnerability exists in the web interface that listens on port 8088, where a user-controllable path is passed to the .NET Path.Combine method without proper sanitization. This flaw enables attackers to include both local files and remote files hosted on SMB shares. When a file with the .t4 extension is provided, it is processed by the mono/t4 .NET templating engine, which can execute arbitrary code on the target system.
Critical Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected Kardex Mlog MCC systems, potentially leading to complete system compromise of industrial control and warehouse automation infrastructure.
Affected Products
- Kardex Mlog MCC version 5.7.12+0-a203c2a213-master
- Kardex Kardex Control Center
Discovery Timeline
- 2023-02-15 - CVE-2023-22855 published to NVD
- 2025-03-19 - Last updated in NVD database
Technical Details for CVE-2023-22855
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection). The Kardex Mlog MCC system exposes a web interface on port 8088 that processes user-supplied file paths. The application fails to properly sanitize path inputs before passing them to the Path.Combine method in .NET, creating a path traversal condition that can be exploited for file inclusion.
The critical aspect of this vulnerability lies in the integration with the mono/t4 templating engine. When an attacker can cause the application to process a file with the .t4 extension—either through local file inclusion or by pointing to a malicious file on an attacker-controlled SMB share—the templating engine will execute any code embedded within the template file. This transforms a file inclusion vulnerability into full remote code execution.
Root Cause
The root cause of CVE-2023-22855 is insufficient input validation and sanitization of user-controllable file paths before they are processed by the Path.Combine method. The application trusts user input without verifying that the resulting path stays within intended boundaries. Additionally, the automatic processing of .t4 files through the mono/t4 templating engine without security restrictions creates a code execution pathway when combined with the path manipulation vulnerability.
Attack Vector
The attack is executed over the network against the web interface listening on port 8088. An attacker can exploit this vulnerability without authentication by crafting HTTP requests that manipulate the file path parameter. The attack can follow two primary vectors:
Local File Inclusion (LFI): The attacker traverses the file system to include local .t4 template files or plants a malicious template file through another mechanism before triggering its execution.
Remote File Inclusion via SMB: The attacker hosts a malicious .t4 template file on an SMB share they control. By providing a UNC path (e.g., \\attacker-server\share\malicious.t4) as the file path parameter, the vulnerable system retrieves and processes the remote template, executing the embedded code.
The vulnerability is accessible remotely with no privileges required, making it trivial to exploit once network access to port 8088 is obtained. Detailed technical information and proof-of-concept code are available in the GitHub CVE-2023-22855 Advisory and Exploit-DB #51239.
Detection Methods for CVE-2023-22855
Indicators of Compromise
- Unusual outbound SMB connections (port 445) from systems running Kardex Mlog MCC to external or unknown IP addresses
- HTTP requests to port 8088 containing path traversal sequences such as ../, ..\\, or UNC paths starting with \\
- Presence of unexpected .t4 files on the system or references to .t4 files in application logs
- Anomalous process spawning from the Kardex Mlog MCC web service process
Detection Strategies
- Implement network monitoring rules to detect SMB traffic originating from Kardex Mlog MCC systems to non-approved destinations
- Deploy web application firewall (WAF) rules to block requests containing path traversal patterns or UNC paths targeting port 8088
- Configure endpoint detection and response (EDR) solutions to alert on the mono/t4 templating engine executing unexpected code
- Review IIS or application logs for suspicious file path parameters in requests to the web interface
Monitoring Recommendations
- Enable detailed logging on the Kardex Mlog MCC web interface to capture all incoming requests and file access attempts
- Monitor for any network connections from the MCC system to external SMB shares
- Implement file integrity monitoring on directories accessible to the web application
- Set up alerts for any new or modified .t4 files appearing on systems running the vulnerable software
How to Mitigate CVE-2023-22855
Immediate Actions Required
- Restrict network access to port 8088 using firewall rules, allowing connections only from trusted management workstations
- Block outbound SMB traffic (port 445) from systems running Kardex Mlog MCC to prevent remote file inclusion via SMB
- Implement network segmentation to isolate Kardex Mlog MCC systems from untrusted networks
- Contact Kardex support to obtain information about available security patches or updated firmware
Patch Information
Organizations should contact Kardex directly for patch availability and remediation guidance. No vendor advisory URLs were provided in the vulnerability disclosure. Technical details about the vulnerability are documented in the Full Disclosure Mailing List Post and the Packet Storm File Inclusion RCE advisory.
Workarounds
- Deploy a reverse proxy or web application firewall in front of the Kardex Mlog MCC web interface to filter malicious requests
- Disable or restrict access to the web interface on port 8088 if it is not required for operations
- Implement strict SMB traffic controls using host-based firewall rules to block all outbound SMB connections
- Consider placing vulnerable systems behind a VPN to require authentication before network access is granted
# Example firewall rules to restrict access to the vulnerable web interface
# Block external access to port 8088 (adjust interface and trusted IPs as needed)
iptables -A INPUT -p tcp --dport 8088 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8088 -j DROP
# Block outbound SMB to prevent remote file inclusion attacks
iptables -A OUTPUT -p tcp --dport 445 -j DROP
iptables -A OUTPUT -p tcp --dport 139 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
