Cyber Resilience

CVE-2022-25621

CriticalRCE

Published: 11 March 2022

Published
11 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0096 76.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25621 is a critical-severity OS Command Injection (CWE-78) vulnerability in Nec Univerge Wa1020 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

UUNIVERGE WA 1020 Ver8.2.11 and prior, UNIVERGE WA 1510 Ver8.2.11 and prior, UNIVERGE WA 1511 Ver8.2.11 and prior, UNIVERGE WA 1512 Ver8.2.11 and prior, UNIVERGE WA 2020 Ver8.2.11 and prior, UNIVERGE WA 2021 Ver8.2.11 and prior, UNIVERGE WA 2610-AP Ver8.2.11…

more

and prior, UNIVERGE WA 2611-AP Ver8.2.11 and prior, UNIVERGE WA 2611E-AP Ver8.2.11 and prior, UNIVERGE WA WA2612-AP Ver8.2.11 and prior allows a remote attacker to execute arbitrary OS commands.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nec
univerge wa1020 firmware
≤ 8.2.11
nec
univerge wa1510 firmware
≤ 8.2.11
nec
univerge wa1511 firmware
≤ 8.2.11
nec
univerge wa1512 firmware
≤ 8.2.11
nec
univerge wa2020 firmware
≤ 8.2.11
nec
univerge wa2021 firmware
≤ 8.2.11
nec
univerge wa2610-ap firmware
≤ 8.2.11
nec
univerge wa2611-ap firmware
≤ 8.2.11
nec
univerge wa2611e-ap firmware
≤ 8.2.11
nec
univerge wa2612-ap firmware
≤ 8.2.11

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References