Vulnerability Details : CVE-2022-43390
A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request.
Products affected by CVE-2022-43390
- cpe:2.3:o:zyxel:emg3525-t50b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:emg5523-t50b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:emg5723-t50k_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg3927-t50k_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg8623-t50b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg8825-t50k_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:dx5401-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex3510-b0_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5401-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5501-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ax7501-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm7300-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5317-t20b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5617ga_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5617-t20b2_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5622ga_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:dx3301-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:lte7480-m804_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nr5101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nr7101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nr7102_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:lte7490-m904_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nebula_nr5101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nebula_nr7101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:dx4510-b1_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex3301-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5510-b0_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5512-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5600-t1_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5601-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5601-t1_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg4005-b50a_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg4005-b60a_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm3100-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm5100-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm7320-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:wx3100-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:wx3401-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:wx5600-t0_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-43390
1.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-43390
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
Zyxel Corporation |
CWE ids for CVE-2022-43390
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- security@zyxel.com.tw (Secondary)
References for CVE-2022-43390
-
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-buffer-overflow-vulnerabilities-of-cpe-fiber-onts-and-wifi-extenders
Zyxel security advisory for command injection and buffer overflow vulnerabilities of CPE, fiber ONTs, and WiFi extenders | Zyxel NetworksVendor Advisory
Jump to