Cyber Resilience

CVE-2026-22317

HighRCE

Published: 18 March 2026

Published
18 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22317 is a high-severity Command Injection (CWE-77) vulnerability in Certvde (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22317 is a command injection vulnerability (CWE-77) in the device's Root CA certificate transfer workflow. It affects the underlying Linux operating system, where crafted HTTP POST requests can lead to arbitrary command execution with root privileges. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-18.

A high-privileged attacker with network access can exploit this vulnerability by sending specially crafted HTTP POST requests to the Root CA certificate transfer endpoint. Successful exploitation results in arbitrary command execution on the Linux OS as root, potentially allowing full system compromise, including data theft, modification, or disruption.

For mitigation details, refer to the advisory published by CERT VDE at https://certvde.com/de/advisories/VDE-2025-104.

EU & UK References

Vulnerability details

A command injection vulnerability in the device’s Root CA certificate transfer workflow allows a high-privileged attacker to send crafted HTTP POST requests that result in arbitrary command execution on the underlying Linux OS with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in network-accessible Root CA endpoint directly enables T1190 exploitation of public-facing app and T1059.004 Unix shell command execution as root.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4048Shared CWE-77
CVE-2026-31059Shared CWE-77
CVE-2026-22284Shared CWE-77
CVE-2024-39783Shared CWE-77
CVE-2024-57583Shared CWE-77
CVE-2026-46368Shared CWE-77
CVE-2024-39781Shared CWE-77
CVE-2024-39367Shared CWE-77
CVE-2026-3518Shared CWE-77
CVE-2024-57590Shared CWE-77

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation and sanitization of crafted HTTP POST inputs in the Root CA certificate transfer workflow.

prevent

Remediates the specific command injection flaw (CVE-2026-22317) through identification, reporting, and timely patching of the vulnerable endpoint.

prevent

Limits damage from injected commands by enforcing least privilege on the Root CA certificate transfer process, preventing unnecessary root-level execution.

References