CVE-2022-21141
Published: 18 February 2022
Summary
CVE-2022-21141 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Airspan Mimosa Management Platform. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 27.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an instance of improper authorization (CWE-863) affecting the API functions of several Cambium Networks products: MMP software prior to version 1.0.3, PTP C-series devices prior to version 2.8.6.1, and PTMP C-series and A5x devices prior to version 2.5.4.1. The flaw allows callers to reach privileged functions without any authentication checks, producing a CVSS 10.0 score driven by network attack vector, low complexity, and full impact on confidentiality, integrity, and availability in a changed scope.
An unauthenticated remote attacker can invoke the unprotected API endpoints to execute arbitrary code on the device, induce a denial-of-service condition, or extract sensitive information. No user interaction or credentials are required, enabling the attack to originate from anywhere on the network that can reach the management interface.
The referenced CISA advisory ICSA-22-034-02 describes the affected product versions and the need to apply the vendor-supplied updates that restore proper authorization checks.
EPSS for the CVE remained low after initial disclosure but later rose sharply, reaching a peak of 0.2745 on 2025-01-22 before receding to the current value of 0.0071, indicating a period of increased exploitation interest well after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26388
Vulnerability details
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization checks on multiple API functions. An attacker may gain access to these…
more
functions and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.