CVE-2022-36273
Published: 16 August 2022
Summary
CVE-2022-36273 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Tenda AC9 firmware version V15.03.2.21_cn contains a command-injection vulnerability (CWE-78) reachable through the goform/SetSysTimeCfg endpoint. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated, low-complexity attack conditions that can result in full confidentiality, integrity, and availability impact.
An unauthenticated attacker with network access can submit crafted input to the time-configuration handler and execute arbitrary operating-system commands on the device. Successful exploitation grants the attacker the ability to read or modify configuration data, install persistent malware, or pivot to other hosts on the LAN.
Public references consist of two GitHub repositories that document the issue; neither advisory nor vendor patch information is supplied in the available sources. The associated EPSS score has remained essentially flat near 0.18 with only a negligible peak-to-current difference, indicating no pronounced post-disclosure surge in observed exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38990
Vulnerability details
Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.