Cyber Resilience

CVE-2026-1222

High

Published: 20 January 2026

Published
20 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 42.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1222 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Org (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1222, published on 2026-01-20, is an Arbitrary File Upload vulnerability (CWE-434) affecting the PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS. Assigned a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), the flaw enables privileged remote attackers to upload and execute web shell backdoors, resulting in arbitrary code execution on the server.

The vulnerability can be exploited by remote attackers who possess high privileges, requiring low attack complexity over the network with no user interaction. Successful exploitation provides high-impact access to confidentiality, integrity, and availability, allowing attackers to achieve full arbitrary code execution and potentially compromise the entire server.

Advisories from TWCERT/CC provide further details on the issue, available at https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html and https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload directly enables web shell deployment (T1100) on a public-facing controller via remote exploitation (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the arbitrary file upload vector by validating file types, content, and names before allowing web shell placement on the MX100 controller.

prevent

Disables or restricts the file-upload and script-execution capabilities that the vulnerability exposes, enforcing least functionality on the AP controller.

prevent

Enforces fine-grained access rules so that even high-privilege accounts cannot perform the unauthorized file-write and execute actions used in this attack.

References