Cyber Resilience

CVE-2022-26187

CriticalPublic PoCRCE

Published: 22 March 2022

Published
22 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3349 97.0th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26187 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink N600R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK N600R firmware version V4.3.0cu.7570_B20200620 contains a command-injection vulnerability in the pingCheck function, classified under CWE-77. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible, unauthenticated exploitation that can yield complete confidentiality, integrity, and availability impacts on the affected router.

An unauthenticated remote attacker can supply crafted input to the pingCheck function and execute arbitrary operating-system commands. Successful exploitation grants full control of the device, enabling actions such as traffic interception, persistence, or use of the router as an attack pivot.

Public references describe the vulnerability and provide technical reproduction details but contain no information on vendor patches or mitigation steps. The associated EPSS score reached a peak of 0.4278 with a current value of 0.3349, indicating sustained but moderate exploitation interest after disclosure.

EU & UK References

Vulnerability details

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the pingCheck function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
n600r firmware
4.3.0cu.7570_b20200620

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References