Cyber Posture

CVE-2026-1222

High

Published: 20 January 2026

Published
20 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 54.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1222 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Org (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

MP-7 Media Use
addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

SC-44 Detonation Chambers
addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

SC-51 Hardware-based Protection
addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

SI-3 Malicious Code Protection
addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1100 Web Shell Persistence
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.
attack.mitre.org →
Why these techniques?

Arbitrary file upload directly enables web shell deployment (T1100) on a public-facing controller via remote exploitation (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Deeper analysisAI

CVE-2026-1222, published on 2026-01-20, is an Arbitrary File Upload vulnerability (CWE-434) affecting the PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS. Assigned a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), the flaw enables privileged remote attackers to upload and execute web shell backdoors, resulting in arbitrary code execution on the server.

The vulnerability can be exploited by remote attackers who possess high privileges, requiring low attack complexity over the network with no user interaction. Successful exploitation provides high-impact access to confidentiality, integrity, and availability, allowing attackers to achieve full arbitrary code execution and potentially compromise the entire server.

Advisories from TWCERT/CC provide further details on the issue, available at https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html and https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html.

Details

CWE(s)
CWE-434

Affected Products

Org
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-49387Shared CWE-434
CVE-2025-52353Shared CWE-434
CVE-2025-25790Shared CWE-434
CVE-2025-22504Shared CWE-434
CVE-2026-33717Shared CWE-434
CVE-2025-14894Shared CWE-434
CVE-2025-65783Shared CWE-434
CVE-2025-44658Shared CWE-434
CVE-2026-37748Shared CWE-434
CVE-2025-50002Shared CWE-434

References