← back
CVE-2022-36267

CVE-2022-36267

EPSS 53.8%
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
Affected products
n/a · n/a
public PoCs found3
githubgithub.com/0xNslabs/CVE-2022-36267-PoC12cve_referencepacketstormsecurity.com/files/168047/AirSpot-5410-0.3.4.1-4-Remote-Command-Injection.htmlunverifiedexploitdbwww.exploit-db.com/exploits/51011unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/168047/AirSpot-5410-0.3.4.1-4-Remote-Command-Injection.htmlhttps://gist.github.com/Nwqda/e82b3155401b094372195fdaa9b54833https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf