Cyber Resilience

CVE-2022-45701

HighPublic PoCRCE

Published: 17 February 2023

Published
17 February 2023
Modified
18 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3530 97.2th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-45701 is a high-severity Command Injection (CWE-77) vulnerability in Commscope Arris Tg2482A Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-45701 is a remote code execution vulnerability in the Arris TG2482A cable modem firmware through version 9.1.103GEM9. The flaw resides in the ping utility feature and is associated with CWE-77 command injection, allowing an attacker to supply crafted input that executes arbitrary commands on the device. The vulnerability carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and low privileges required.

An authenticated remote attacker with network access to the device management interface can exploit the ping utility to achieve full remote code execution. Successful exploitation grants the attacker the ability to compromise confidentiality, integrity, and availability of the affected router, potentially enabling persistence, lateral movement, or further attacks on connected networks.

Public proof-of-concept code has been published on GitHub and Packet Storm, and the EPSS score rose from lower values after disclosure to a peak of 0.5611 before receding to the current 0.3530, indicating a period of increased exploitation interest. No vendor advisory or patch information is provided in the available references.

EU & UK References

Vulnerability details

Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

commscope
arris tg2482a firmware
≤ 9.1.103
commscope
arris tg2492 firmware
≤ 9.1.103
commscope
arris sbg10 firmware
≤ 9.1.103

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References