Cyber Resilience

CVE-2022-50793

HighPublic PoCRCE

Published: 30 December 2025

Published
30 December 2025
Modified
13 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0279 84.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2022-50793 is a high-severity OS Command Injection (CWE-78) vulnerability in Sound4 Impact Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 15.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-50793 is an authenticated command injection vulnerability (CWE-78) in SOUND4 IMPACT, FIRST, PULSE, and Eco devices running versions <=2.x. The issue exists in the www-data-handler.php script, which processes the 'services' POST parameter without proper sanitization, enabling attackers to inject and execute arbitrary system commands with www-data user privileges.

Exploitation requires low-privileged authenticated access (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), as reflected in its CVSS v3.1 base score of 8.8 (High). Successful attacks allow remote command execution in a single-instance context (S:U), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).

Advisories from VulnCheck, Zero Science Lab, IBM X-Force Exchange, and Packet Storm Security detail the vulnerability, including proof-of-concept exploits, while the vendor site at sound4.com is referenced for potential updates or patches. Practitioners should consult these sources for mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious 'services' parameter values to execute arbitrary system…

more

commands with www-data user privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is an authenticated command injection in a PHP script allowing arbitrary system command execution as www-data (Unix/Linux environment), directly enabling T1059.004: Unix Shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-53963Same product: Sound4 Big Voice2
CVE-2022-50794Same product: Sound4 Big Voice2
CVE-2022-50795Same product: Sound4 Big Voice2
CVE-2022-50791Same product: Sound4 Big Voice2
CVE-2022-50789Same product: Sound4 Big Voice2
CVE-2022-50796Same product: Sound4 Big Voice2
CVE-2023-53962Same product: Sound4 Big Voice2
CVE-2023-53964Same product: Sound4 Big Voice2
CVE-2023-53955Same product: Sound4 Big Voice2
CVE-2022-50792Same product: Sound4 Big Voice2

Affected Assets

sound4
impact firmware
1.69, 2.15
sound4
pulse firmware
1.69, 2.15
sound4
first firmware
1.69, 2.15
sound4
impact eco firmware
1.16
sound4
pulse eco firmware
1.16
sound4
big voice4 firmware
1.2
sound4
big voice2 firmware
1.30
sound4
wm2 firmware
1.11
sound4
stream extension
2.4.29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection by requiring validation and sanitization of the 'services' POST parameter in www-data-handler.php to block malicious inputs.

prevent

Remediates the specific flaw in the vulnerable PHP script through timely identification, reporting, and patching of the CVE.

prevent

Limits damage from injected commands by enforcing least privilege on the www-data user executing the arbitrary system commands.

References