CVE-2022-27373
Published: 19 July 2022
Summary
CVE-2022-27373 is a high-severity OS Command Injection (CWE-78) vulnerability in Phicomm Fir303B Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-27373 is a remote command execution vulnerability affecting the Ping function in the Shanghai Feixun Data Communication Technology Co., Ltd router model fir302b A2. The flaw is categorized under CWE-78 and carries a CVSS 3.1 score of 8.8, reflecting network-accessible command injection that can lead to full confidentiality, integrity, and availability impact.
An attacker with valid credentials can supply crafted input to the Ping feature over the network, resulting in arbitrary operating-system command execution on the device. This grants the ability to read or modify configuration and data, install persistent access mechanisms, or disrupt router operation without further user interaction.
Public references consist of GitHub repositories that appear to contain proof-of-concept material for the issue. No vendor advisory, firmware update, or official mitigation guidance is referenced in the available sources. The associated EPSS score has remained at 0.3245 since disclosure, indicating sustained but not newly escalating exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31876
Vulnerability details
Shanghai Feixun Data Communication Technology Co., Ltd router fir302b A2 was discovered to contain a remote command execution (RCE) vulnerability via the Ping function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.