CVE-2022-27000
Published: 15 March 2022
Summary
CVE-2022-27000 is a critical-severity Command Injection (CWE-77) vulnerability in Commscope Arris Tr3300 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Arris TR3300 firmware version 1.0.13 contains a command injection vulnerability (CWE-77) in its time and time zone handling. The flaw resides in the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters and permits unauthenticated remote attackers to supply crafted input that results in arbitrary command execution on the device. The issue received a CVSS 3.1 score of 9.8.
An attacker with network access can submit a malicious request to the affected endpoints and obtain full control over the device, including the ability to read, modify, or delete data and disrupt service. No authentication or user interaction is required.
Public references consist of technical write-ups that demonstrate the injection vectors but contain no vendor advisory, patch information, or mitigation guidance. The associated EPSS score has remained in a narrow band around 0.13 with only a modest peak, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31540
Vulnerability details
Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.