CVE-2022-27226
Published: 19 March 2022
Summary
CVE-2022-27226 is a high-severity CSRF (CWE-352) vulnerability in Irz Ru21 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-27226 is a cross-site request forgery vulnerability in the /api/crontab endpoint of iRZ Mobile Routers through March 16, 2022. The flaw permits an attacker to submit a crafted request that creates an arbitrary crontab entry in the device administration interface; the resulting cron job then executes on the attacker-specified schedule, granting remote code execution and filesystem access on the router.
An unauthenticated attacker can trigger the issue by causing an authenticated administrator to visit a malicious page, or can achieve the same outcome without user interaction if the router still uses its factory-default credentials or if valid credentials have been obtained. Successful exploitation yields full control over scheduled tasks, enabling persistent command execution on the affected embedded device.
Public exploit code and detailed proof-of-concept reports have been released, including a Metasploit module and a GitHub repository demonstrating unauthenticated RCE via the CSRF vector. The EPSS score rose sharply from a low baseline to a peak of 0.6667 on 2025-01-22 before receding, indicating a clear post-disclosure increase in exploitation interest that warrants renewed monitoring of exposed iRZ routers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31735
Vulnerability details
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to…
more
remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.