Cyber Resilience

CVE-2022-26990

CriticalPublic PoCRCE

Published: 15 March 2022

Published
15 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0335 87.6th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26990 is a critical-severity OS Command Injection (CWE-78) vulnerability in Arris Sbr-Ac1900P Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-26990 is a command-injection vulnerability affecting the firewall-local log configuration function in three Arris router models: SBR-AC1900P running firmware 1.0.7-B05, SBR-AC3200P running 1.0.7-B05, and SBR-AC1200P running 1.0.5-B05. Unauthenticated attackers can supply crafted values in the EmailAddress, SmtpServerName, SmtpUsername, or SmtpPassword parameters to inject and execute arbitrary operating-system commands. The flaw is tracked as CWE-78 and carries a CVSS 3.1 base score of 9.8.

An attacker with network access to the router’s management interface can submit a single unauthenticated HTTP request that triggers the vulnerable logging routine, resulting in full command execution on the device. Successful exploitation grants the attacker the ability to read or modify configuration files, install persistent malware, or pivot into attached networks without any prior credentials.

Public exploit details were published on GitHub shortly after disclosure. The associated EPSS score rose from a low baseline to a peak of 0.0956 in December 2025 before receding to its current value of 0.0335, indicating a measurable but ultimately limited increase in observed exploitation interest after the vulnerability became public. No vendor firmware updates or official mitigation guidance have been referenced in the available disclosures.

EU & UK References

Vulnerability details

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters. This vulnerability allows attackers to execute arbitrary commands via a…

more

crafted request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

arris
sbr-ac1900p firmware
1.0.7-b05
arris
sbr-ac3200p firmware
1.0.7-b05
arris
sbr-ac1200p firmware
1.0.5-b05

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References