Cyber Resilience

CVE-2022-28704

High

Published: 13 June 2022

Published
13 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0856 92.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28704 is a high-severity an unspecified weakness vulnerability in Rakuten Casa. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-28704 is an improper access control flaw affecting Rakuten Casa firmware versions AP_F_V1_4_1 and AP_F_V2_0_0. The vulnerability exists when the device is left in its factory-default configuration that permits SSH connections from the WAN side and retains unchanged default authentication credentials, enabling remote root login and subsequent arbitrary operations on the affected appliance.

A remote attacker who can reach the device over the internet can exploit the issue without additional user interaction. Successful authentication as root grants full control, allowing arbitrary command execution, configuration changes, or further lateral movement within the network.

Public advisories published by JVN and Rakuten recommend that operators immediately change default credentials, disable WAN-side SSH access, and apply any available firmware updates referenced in the vendor notice. The EPSS score has remained flat at 0.0856 with no material increase since disclosure.

EU & UK References

Vulnerability details

Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to…

more

accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rakuten
casa
ap_f_v1_4_1, ap_f_v2_0_0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References