CVE-2022-26990
Published: 15 March 2022
Summary
CVE-2022-26990 is a critical-severity OS Command Injection (CWE-78) vulnerability in Arris Sbr-Ac1900P Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-26990 is a command-injection vulnerability affecting the firewall-local log configuration function in three Arris router models: SBR-AC1900P running firmware 1.0.7-B05, SBR-AC3200P running 1.0.7-B05, and SBR-AC1200P running 1.0.5-B05. Unauthenticated attackers can supply crafted values in the EmailAddress, SmtpServerName, SmtpUsername, or SmtpPassword parameters to inject and execute arbitrary operating-system commands. The flaw is tracked as CWE-78 and carries a CVSS 3.1 base score of 9.8.
An attacker with network access to the router’s management interface can submit a single unauthenticated HTTP request that triggers the vulnerable logging routine, resulting in full command execution on the device. Successful exploitation grants the attacker the ability to read or modify configuration files, install persistent malware, or pivot into attached networks without any prior credentials.
Public exploit details were published on GitHub shortly after disclosure. The associated EPSS score rose from a low baseline to a peak of 0.0956 in December 2025 before receding to its current value of 0.0335, indicating a measurable but ultimately limited increase in observed exploitation interest after the vulnerability became public. No vendor firmware updates or official mitigation guidance have been referenced in the available disclosures.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31530
Vulnerability details
Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters. This vulnerability allows attackers to execute arbitrary commands via a…
more
crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.