Cyber Resilience

CVE-2022-50909

HighPublic PoCRCE

Published: 13 January 2026

Published
13 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0210 79.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2022-50909 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-50909 is a command injection vulnerability (CWE-78) in Algo 8028 Control Panel version 3.3.3. The flaw exists in the fm-data.lua endpoint, where the insecure 'source' parameter enables authenticated attackers to inject arbitrary commands executed with root privileges. Exploitation occurs through a crafted POST request, leading to remote code execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with low privileges can exploit this issue over the network with low attack complexity and no user interaction. Successful exploitation allows remote code execution at the root level on the affected control panel, potentially enabling full system compromise, data theft, or further lateral movement within the environment.

Mitigation details are available through vendor resources and advisories. Algo Solutions provides firmware downloads for the 8028 device at https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/. Additional guidance appears in the Vulncheck advisory at https://www.vulncheck.com/advisories/algo-control-panel-remote-code-execution-rce-authenticated, and a proof-of-concept exploit is published on Exploit-DB at https://www.exploit-db.com/exploits/50960.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling…

more

remote code execution through a crafted POST request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in web endpoint allows low-privileged authenticated remote attackers to execute arbitrary OS commands as root, directly facilitating Exploitation for Privilege Escalation (T1068) and Command and Scripting Interpreter: Unix Shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26318Shared CWE-78
CVE-2026-5208Shared CWE-78
CVE-2025-70329Shared CWE-78
CVE-2024-49563Shared CWE-78
CVE-2026-33641Shared CWE-78
CVE-2026-22277Shared CWE-78
CVE-2024-49565Shared CWE-78
CVE-2026-42924Shared CWE-78
CVE-2025-66209Shared CWE-78
CVE-2025-22605Shared CWE-78

Affected Assets

Control Panel
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing the insecure 'source' parameter in the fm-data.lua endpoint.

prevent

Remediates the specific command injection vulnerability in Algo 8028 Control Panel version 3.3.3 via timely flaw patching and firmware updates.

prevent

Mitigates impact of injected commands by enforcing least privilege to restrict execution from low-privilege authenticated users to root.

References