Cyber Resilience

CVE-2022-4221

CriticalPublic PoCRCE

Published: 01 December 2022

Published
01 December 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5521 98.1th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4221 is a critical-severity OS Command Injection (CWE-78) vulnerability in Asus Nas-M25 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-4221 is an OS command injection vulnerability, tracked as CWE-78, that affects the Asus NAS-M25 network-attached storage appliance in all versions through 1.0.1.7. The flaw stems from improper neutralization of special elements when processing cookie values, allowing operating-system commands to be constructed and executed without adequate sanitization.

An unauthenticated attacker can exploit the issue remotely over the network by supplying crafted cookie data in HTTP requests. Successful exploitation grants the ability to run arbitrary commands, resulting in full compromise of confidentiality, integrity, and availability on the device, consistent with the CVSS 3.1 base score of 9.8.

Public advisories published at the referenced OneKey URLs describe the vulnerability and its impact. The associated EPSS score rose from low values after the 2022 disclosure to a peak of 0.8388 on 2025-01-22 before receding to the current 0.5521, indicating a clear increase in observed exploitation interest well after initial publication.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

asus
nas-m25 firmware
≤ 1.0.1.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References