CVE-2022-22273 — OS Command Injection in SMA 200 Firmware

CWE-78 — OS Command Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.9%

top 24.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sonicwall SMA 200 Firmware Sonicwall SMA 210 Firmware Sonicwall SMA 400 Firmware +7 more

Timeline

PublishedMar 17

Latest updateMar 18

Description

Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically the SRA appliances running all 8.x, 9.0.0.5-19sv and earlier versions and Secure Mobile Access (SMA) 100 series products running older firmware 9.0.0.9-26sv and earlier versions

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

▶NVDsonicwall/sma_200_firmware9.0.0.9-26sv

▶NVDsonicwall/sma_210_firmware9.0.0.9-26sv

▶NVDsonicwall/sma_400_firmware9.0.0.9-26sv

▶NVDsonicwall/sma_410_firmware9.0.0.9-26sv

▶NVDsonicwall/sma_500v_firmware9.0.0.9-26sv

Patches

Patch: psirt.global.sonicwall.com ↗Patch: psirt.global.sonicwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-4q58-23pv-54c4: ** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure↗2022-03-18

▶

CVEList

CVE-2022-22273: Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products an↗2022-03-17

▶