Cyber Resilience

CVE-2022-39073

CriticalRCE

Published: 06 January 2023

Published
06 January 2023
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1758 95.2th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39073 is a critical-severity Command Injection (CWE-77) vulnerability in Zte Mf286R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2022-39073 is a command injection flaw in the ZTE MF286R, resulting from insufficient validation of input parameters. It is tracked under CWE-77 and carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker with network access can supply crafted input to execute arbitrary commands on the device, achieving full control over confidentiality, integrity, and availability of the affected system.

ZTE has published details on the issue through its support portal, with the advisory located at the referenced URL.

The associated EPSS score has remained flat at its peak value of 0.1758 with no material rise observed.

EU & UK References

Vulnerability details

There is a command injection vulnerability in ZTE MF286R, Due to insufficient validation of the input parameters, an attacker could use the vulnerability to execute arbitrary commands.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zte
mf286r firmware
nordic_mf286r_b06

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References