CVE-2022-26997
Published: 15 March 2022
Summary
CVE-2022-26997 is a critical-severity Command Injection (CWE-77) vulnerability in Commscope Arris Tr3300 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Arris TR3300 firmware version 1.0.13 contains a command-injection flaw in its UPnP implementation. The vulnerability, tracked as CVE-2022-26997 and assigned CWE-77, resides in the handling of the upnp_ttl parameter and permits unauthenticated attackers to supply crafted input that is passed directly to a system shell.
Because the affected service is reachable over the network and requires neither credentials nor user interaction, an attacker who can reach the device can execute arbitrary operating-system commands with the privileges of the UPnP process. Successful exploitation therefore yields full control of the router, including the ability to alter configuration, exfiltrate data, or pivot into attached networks.
Public references consist solely of a technical write-up and proof-of-concept on GitHub; no vendor advisory or firmware update addressing the issue is referenced. The CVE carries a CVSS 3.1 base score of 9.8. Its EPSS score has remained in the 0.12–0.14 range, indicating moderate but not widespread exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31537
Vulnerability details
Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.