CVE-2022-50691
Published: 30 December 2025
Summary
CVE-2022-50691 is a critical-severity OS Command Injection (CWE-78) vulnerability in Minidvblinux Minidvblinux. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-50691 is a remote command execution vulnerability in MiniDVBLinux 5.4, classified under CWE-78 (OS Command Injection). The issue stems from the /tpl/commands.sh endpoint, which processes the 'command' GET parameter without proper sanitization, enabling attackers to inject and execute arbitrary commands.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to execute commands as root, resulting in complete system compromise with high impacts on confidentiality, integrity, and availability.
Advisories detailing the vulnerability, including potential mitigations, are available from sources such as VulnCheck (https://www.vulncheck.com/advisories/minidvblinux-remote-root-command-execution-via-commandssh), Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php), and Packet Storm Security (https://packetstormsecurity.com/files/168749/).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55944
Vulnerability details
MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the 'command' GET parameter. Attackers can exploit the /tpl/commands.sh endpoint by sending malicious command values to gain root-level system access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2022-50691 is an unauthenticated remote command injection vulnerability in a network-exposed web endpoint (/tpl/commands.sh), directly enabling exploitation of a public-facing application for arbitrary root command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation of the unsanitized 'command' GET parameter at the /tpl/commands.sh endpoint.
Remediates the specific command execution flaw in MiniDVBLinux 5.4 through timely identification, reporting, and correction.
Enforces access control policies to block unauthenticated remote access to the vulnerable /tpl/commands.sh endpoint.