CVE-2022-4221
Published: 01 December 2022
Summary
CVE-2022-4221 is a critical-severity OS Command Injection (CWE-78) vulnerability in Asus Nas-M25 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-4221 is an OS command injection vulnerability, tracked as CWE-78, that affects the Asus NAS-M25 network-attached storage appliance in all versions through 1.0.1.7. The flaw stems from improper neutralization of special elements when processing cookie values, allowing operating-system commands to be constructed and executed without adequate sanitization.
An unauthenticated attacker can exploit the issue remotely over the network by supplying crafted cookie data in HTTP requests. Successful exploitation grants the ability to run arbitrary commands, resulting in full compromise of confidentiality, integrity, and availability on the device, consistent with the CVSS 3.1 base score of 9.8.
Public advisories published at the referenced OneKey URLs describe the vulnerability and its impact. The associated EPSS score rose from low values after the 2022 disclosure to a peak of 0.8388 on 2025-01-22 before receding to the current 0.5521, indicating a clear increase in observed exploitation interest well after initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51581
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.