CVE-2022-43325
Published: 02 December 2022
Summary
CVE-2022-43325 is a critical-severity OS Command Injection (CWE-78) vulnerability in Telosalliance Omnia Mpx Node Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-43325 is an unauthenticated command injection vulnerability, tracked under CWE-78, that affects the product license validation function in Telos Alliance Omnia MPX Node versions 1.3.* through 1.4.*. The flaw carries a CVSS 3.1 score of 9.8 and permits remote attackers to supply a crafted payload through the license input field, resulting in arbitrary command execution on the device.
An attacker with network access can exploit the issue without authentication or user interaction by submitting a malicious license string that is processed by the validation routine. Successful exploitation grants full control over the affected appliance, enabling arbitrary code execution with impacts to confidentiality, integrity, and availability.
The associated EPSS score rose from a low baseline after disclosure to a peak of 0.2999 on 2025-12-11 before receding to the current value of 0.1524, indicating that exploitation interest increased well after the initial publication date. Public references consist of proof-of-concept material rather than vendor advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46364
Vulnerability details
An unauthenticated command injection vulnerability in the product license validation function of Telos Alliance Omnia MPX Node 1.3.* - 1.4.* allows attackers to execute arbitrary commands via a crafted payload injected into the license input.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.