Cyber Resilience

CVE-2022-36273

CriticalPublic PoCRCE

Published: 16 August 2022

Published
16 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1786 95.3th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36273 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Tenda AC9 firmware version V15.03.2.21_cn contains a command-injection vulnerability (CWE-78) reachable through the goform/SetSysTimeCfg endpoint. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated, low-complexity attack conditions that can result in full confidentiality, integrity, and availability impact.

An unauthenticated attacker with network access can submit crafted input to the time-configuration handler and execute arbitrary operating-system commands on the device. Successful exploitation grants the attacker the ability to read or modify configuration data, install persistent malware, or pivot to other hosts on the LAN.

Public references consist of two GitHub repositories that document the issue; neither advisory nor vendor patch information is supplied in the available sources. The associated EPSS score has remained essentially flat near 0.18 with only a negligible peak-to-current difference, indicating no pronounced post-disclosure surge in observed exploitation activity.

EU & UK References

Vulnerability details

Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
ac9 firmware
15.03.2.21_cn

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References