Cyber Resilience

CVE-2022-37661

CriticalPublic PoC

Published: 14 September 2022

Published
14 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3074 96.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37661 is a critical-severity an unspecified weakness vulnerability in Adtran Sr510N Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

SmartRG SR506n version 2.5.15 and SR510n version 2.6.13 routers contain a remote code execution vulnerability in the ping host feature. The flaw carries a CVSS 3.1 score of 9.8 and is tracked as CVE-2022-37661, allowing unauthenticated network attackers to run arbitrary commands on the device.

An attacker with network access can supply crafted input to the ping functionality and obtain code execution with full system privileges, resulting in complete compromise of confidentiality, integrity, and availability without requiring credentials or user interaction.

Public exploit code for both affected models has been disclosed on PacketStorm and related sites. The EPSS score rose sharply from low values after disclosure to a peak of 0.8782 on 2025-01-22 before receding to the current 0.3074, indicating renewed exploitation interest well after the original publication.

EU & UK References

Vulnerability details

SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adtran
sr510n firmware
2.6.13
adtran
sr506n firmware
2.5.15

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References