CVE-2022-26996
Published: 15 March 2022
Summary
CVE-2022-26996 is a critical-severity Command Injection (CWE-77) vulnerability in Commscope Arris Tr3300 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Arris TR3300 firmware version 1.0.13 contains a command injection vulnerability in its pppoe handling code. The flaw is triggered through the pppoe_username, pppoe_passwd, and pppoe_servicename parameters and is tracked as CWE-77. It received a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.
An unauthenticated attacker can submit a crafted HTTP request that injects operating-system commands, resulting in arbitrary code execution on the device with full confidentiality, integrity, and availability impact. The vulnerability is reachable over the network and requires no prior authentication.
Public references consist of a technical write-up and proof-of-concept hosted on GitHub that demonstrate the injection vectors. No vendor advisory or firmware patch information is referenced in the available sources.
The CVE maintains an EPSS score of 0.1262 with a recorded peak of 0.1381, indicating sustained moderate exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31536
Vulnerability details
Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.