Cyber Resilience

CVE-2022-30105

CriticalPublic PoCRCE

Published: 18 May 2022

Published
18 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0690 91.6th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30105 is a critical-severity OS Command Injection (CWE-78) vulnerability in Belkin N300 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-30105 is a remote command injection vulnerability affecting Belkin N300 Firmware version 1.00.08. The flaw resides in the script at /setting_hidden.asp, which remains reachable both before and after device configuration. Multiple parameters submitted via POST requests to the associated form are not sanitized, enabling injection of operating system commands that execute with root privileges because the web interface and all device processes run as root. The issue is tracked under CWE-78 and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker with network access can submit specially crafted parameters to the web interface and achieve arbitrary command execution as root, resulting in full control over the affected device. The provided references point to detailed exploit information but contain no advisory statements or patch guidance. The associated EPSS score has remained flat at 0.0690 with no material increase since disclosure.

EU & UK References

Vulnerability details

In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized…

more

after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

belkin
n300 firmware
1.00.08

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References