CVE-2022-27002
published 2022-03-15CVE-2022-27002: Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.12%
92.5th percentile
Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commscope | arris_tr3300_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/user.cgi?NDDNS_ENABLE=1
path/user.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arris TR3300 user.cgi Command Injection Attempt (CVE-2022-27002)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/user.cgi?NDDNS_ENABLE=1"; fast_pattern; startswith; content:"DDNS_HOST|3d|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2022-27002; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; classtype:attempted-admin; sid:2057318; rev:1; metadata:affected_product Arris, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_07, cve CVE_2022_27002, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the DDNS configuration function via GET request to /user.cgi with NDDNS_ENABLE=1 and injection characters in the DDNS_HOST parameter. Look for shell metacharacters (;, newline, backtick, pipe, $) in the DDNS_HOST field, including URL-encoded variants (%3B, %0A, %60, %7C, %24).
- →Vulnerable parameters include ddns_name, ddns_pwd, h_ddns, and ddns_host — monitor all four for command injection payloads in requests to the DDNS function. ↗
- →This CVE has been observed exploited in the wild by a Mirai variant targeting IoT devices. Correlate exploitation attempts with subsequent botnet C2 activity.
- →Traffic is expected in plaintext (non-TLS). Focus inspection on unencrypted HTTP traffic to networking equipment on the internal network and perimeter.
- ·The Snort/Suricata rule (sid:2057318) targets only GET method requests. Verify whether the vulnerable endpoint also accepts POST requests, which would not be caught by this rule as written.
- ·The PCRE in the rule stops matching at an ampersand (\x26), meaning injection payloads placed after additional query parameters may evade detection.
- ·Affected version is specifically Arris TR3300 v1.0.13; rule metadata scopes the affected product to Arris networking equipment only. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9q46-wmvv-f799: Arris TR3300 v1
ghsa_unreviewed·2022-03-17
CVE-2022-27002 [CRITICAL] CWE-78 GHSA-9q46-wmvv-f799: Arris TR3300 v1
Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns?ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
VulnCheck
commscope arris_tr3300_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-27002 [CRITICAL] commscope arris_tr3300_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
commscope arris_tr3300_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Affected: commscope arris_tr3300_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
Suricata
ET WEB_SPECIFIC_APPS Arris TR3300 user.cgi Command Injection Attempt (CVE-2022-27002)
suricata·2024-11-07·CVSS 9.8
CVE-2022-27002 [CRITICAL] ET WEB_SPECIFIC_APPS Arris TR3300 user.cgi Command Injection Attempt (CVE-2022-27002)
ET WEB_SPECIFIC_APPS Arris TR3300 user.cgi Command Injection Attempt (CVE-2022-27002)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arris TR3300 user.cgi Command Injection Attempt (CVE-2022-27002)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/user.cgi?NDDNS_ENABLE=1"; fast_pattern; startswith; content:"DDNS_HOST|3d|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2022-27002; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; classtype:attempted-admin; sid:2057318; rev:1; metadata:affected_product Arris, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_07, cve CVE_2022_27002, deployment Perimeter, deplo
No public exploits indexed.
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
Greynoiseio
Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
blogs_greynoiseio·CVSS 8.8
[HIGH] Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-03-15
Published
Exploited in the wild