Cyber Resilience

CVE-2022-27224

HighPublic PoCRCEUpdated

Published: 09 May 2022

Published
09 May 2022
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1965 95.6th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-27224 is a high-severity OS Command Injection (CWE-78) vulnerability in Galsys Nts-6002-Gps Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-27224 affects the Galleon NTS-6002-GPS time server running firmware version 4.14.103-Galleon-NTS-6002.V12. The flaw is an OS command injection vulnerability (CWE-78) in the web-management interface's Network Tools section, where unsanitized input containing shell metacharacters is passed to the ping, traceroute, and DNS lookup utilities via the ping_address, trace_address, and nslookup_address parameters.

An authenticated administrative user can exploit the issue over the network to execute arbitrary commands with root privileges. Because the web interface already grants the same user SSH root access according to the vendor, the practical impact is limited to scenarios where an attacker obtains web credentials but cannot directly reach the SSH service.

The vendor disputes the finding, stating that the affected components existed only in development builds that were never shipped to customers and that no privilege boundary is crossed. Public references consist of a technical write-up and proof-of-concept gist along with the vendor's configuration manual and software download page; no formal patch or mitigation guidance is published.

EPSS remains flat at its recorded peak of 0.1965 with no observed post-disclosure rise.

EU & UK References

Vulnerability details

An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS…

more

Lookup) and their respective input fields (ping_address, trace_address, nslookup_address). NOTE: this is disputed by the Supplier because the affected components were never shipped in a production release (they were only present in development releases), and because no privilege boundary is crossed (an applicable "authenticated attacker" always also has the supported ability to make an SSH connection as root).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

galsys
nts-6002-gps firmware
4.14.103-galleon-nts-6002.v12_4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References