CVE-2022-30105
Published: 18 May 2022
Summary
CVE-2022-30105 is a critical-severity OS Command Injection (CWE-78) vulnerability in Belkin N300 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-30105 is a remote command injection vulnerability affecting Belkin N300 Firmware version 1.00.08. The flaw resides in the script at /setting_hidden.asp, which remains reachable both before and after device configuration. Multiple parameters submitted via POST requests to the associated form are not sanitized, enabling injection of operating system commands that execute with root privileges because the web interface and all device processes run as root. The issue is tracked under CWE-78 and carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker with network access can submit specially crafted parameters to the web interface and achieve arbitrary command execution as root, resulting in full control over the affected device. The provided references point to detailed exploit information but contain no advisory statements or patch guidance. The associated EPSS score has remained flat at 0.0690 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35319
Vulnerability details
In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized…
more
after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.