CVE-2022-36267
Published: 08 August 2022
Summary
CVE-2022-36267 is a critical-severity an unspecified weakness vulnerability in Airspan Airspot 5410 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-36267 is an unauthenticated remote command injection vulnerability affecting the Airspan AirSpot 5410 wireless device in firmware versions 0.3.4.1-4 and earlier. The flaw resides in the diagnostics.cgi binary at /home/www/cgi-bin/diagnostics.cgi, which exposes ping functionality that accepts unsanitized input over unauthenticated HTTP requests, enabling arbitrary command execution on the device.
An attacker with network access to the device can exploit the issue by crafting a malicious HTTP request that injects shell commands into a parameter of the ping endpoint. Successful exploitation grants the attacker full remote code execution with the privileges of the web server process, allowing complete compromise of the affected AirSpot 5410 without any credentials or user interaction.
Public exploit code for the vulnerability has been posted to Packet Storm and GitHub, and the EPSS score has reached a peak of 0.7474 with a current value of 0.7023, indicating substantial and sustained exploitation interest since disclosure. No vendor advisory or patch information appears among the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38985
Vulnerability details
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing…
more
for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.