Cyber Resilience

CVE-2022-27226

HighPublic PoC

Published: 19 March 2022

Published
19 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0319 87.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-27226 is a high-severity CSRF (CWE-352) vulnerability in Irz Ru21 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-27226 is a cross-site request forgery vulnerability in the /api/crontab endpoint of iRZ Mobile Routers through March 16, 2022. The flaw permits an attacker to submit a crafted request that creates an arbitrary crontab entry in the device administration interface; the resulting cron job then executes on the attacker-specified schedule, granting remote code execution and filesystem access on the router.

An unauthenticated attacker can trigger the issue by causing an authenticated administrator to visit a malicious page, or can achieve the same outcome without user interaction if the router still uses its factory-default credentials or if valid credentials have been obtained. Successful exploitation yields full control over scheduled tasks, enabling persistent command execution on the affected embedded device.

Public exploit code and detailed proof-of-concept reports have been released, including a Metasploit module and a GitHub repository demonstrating unauthenticated RCE via the CSRF vector. The EPSS score rose sharply from a low baseline to a peak of 0.6667 on 2025-01-22 before receding, indicating a clear post-disclosure increase in exploitation interest that warrants renewed monitoring of exposed iRZ routers.

EU & UK References

Vulnerability details

A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to…

more

remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

irz
ru21 firmware
≤ 2022-03-16
irz
ru21w firmware
≤ 2022-03-16
irz
rl21 firmware
≤ 2022-03-16
irz
ru41 firmware
≤ 2022-03-16
irz
rl01 firmware
≤ 2022-03-16

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

References