Cyber Resilience

CVE-2022-39986

CriticalPublic PoCRCE

Published: 01 August 2023

Published
01 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9306 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39986 is a critical-severity Command Injection (CWE-77) vulnerability in Raspap Raspap. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

RaspAP versions 2.8.0 through 2.8.7 contain a command injection vulnerability tracked as CVE-2022-39986. The flaw resides in the OpenVPN-related AJAX endpoints activate_ovpncfg.php and del_ovpncfg.php, where the cfg_id parameter is passed directly to system commands without sanitization, corresponding to CWE-77.

Unauthenticated remote attackers can supply crafted values for cfg_id to execute arbitrary operating-system commands with the privileges of the web server process. Successful exploitation grants full control over the affected device, including the ability to read or modify files, install persistent access, or pivot within the network, consistent with the CVSS 9.8 rating reflecting network-accessible attack complexity with no required credentials or user interaction.

The associated EPSS score has reached 0.93 with no subsequent decline, indicating sustained exploitation interest following public disclosure. Public proof-of-concept material and packet captures have been posted to repositories such as Packet Storm, confirming that the vulnerable code paths remain reachable in default installations.

EU & UK References

Vulnerability details

A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

raspap
raspap
2.8.0 — 2.8.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References