cbcvebase.
CVE-2022-27002
published 2022-03-15

CVE-2022-27002: Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.12%
92.5th percentile
Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Affected

1 ranges
VendorProductVersion rangeFixed in
commscopearris_tr3300_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/user.cgi?NDDNS_ENABLE=1
path/user.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arris TR3300 user.cgi Command Injection Attempt (CVE-2022-27002)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/user.cgi?NDDNS_ENABLE=1"; fast_pattern; startswith; content:"DDNS_HOST|3d|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2022-27002; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; classtype:attempted-admin; sid:2057318; rev:1; metadata:affected_product Arris, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_07, cve CVE_2022_27002, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the DDNS configuration function via GET request to /user.cgi with NDDNS_ENABLE=1 and injection characters in the DDNS_HOST parameter. Look for shell metacharacters (;, newline, backtick, pipe, $) in the DDNS_HOST field, including URL-encoded variants (%3B, %0A, %60, %7C, %24).
  • Vulnerable parameters include ddns_name, ddns_pwd, h_ddns, and ddns_host — monitor all four for command injection payloads in requests to the DDNS function.
  • This CVE has been observed exploited in the wild by a Mirai variant targeting IoT devices. Correlate exploitation attempts with subsequent botnet C2 activity.
  • Traffic is expected in plaintext (non-TLS). Focus inspection on unencrypted HTTP traffic to networking equipment on the internal network and perimeter.
  • ·The Snort/Suricata rule (sid:2057318) targets only GET method requests. Verify whether the vulnerable endpoint also accepts POST requests, which would not be caught by this rule as written.
  • ·The PCRE in the rule stops matching at an ampersand (\x26), meaning injection payloads placed after additional query parameters may evade detection.
  • ·Affected version is specifically Arris TR3300 v1.0.13; rule metadata scopes the affected product to Arris networking equipment only.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.