Cyber Resilience

CVE-2022-39987

HighRCE

Published: 01 August 2023

Published
01 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7647 99.0th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39987 is a high-severity Command Injection (CWE-77) vulnerability in Raspap Raspap. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A command injection vulnerability tracked as CVE-2022-39987 affects RaspAP versions 2.8.0 through 2.9.2. The flaw resides in the /ajax/networking/get_wgkey.php endpoint and stems from insufficient sanitization of the "entity" POST parameter, enabling execution of operating-system commands. It carries a CVSS 3.1 score of 8.8 and is associated with CWE-77.

An authenticated attacker with network access can supply crafted POST data to the vulnerable endpoint and run arbitrary commands with root privileges, resulting in full compromise of confidentiality, integrity, and availability on the affected host.

Public references consist of the affected source file on GitHub and a Medium disclosure describing multiple issues in the same application; neither the references nor the CVE record provide patch or mitigation guidance. The associated EPSS score stands at 0.7647 with an identical peak value, indicating no material post-disclosure rise in exploitation probability.

EU & UK References

Vulnerability details

A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

raspap
raspap
2.8.0 — 2.9.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References