CVE-2022-27226
published 2022-03-19CVE-2022-27226: A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The…
PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
34.53%
98.2th percentile
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| irz | rl01_firmware | <= 2022-03-16 | — |
| irz | rl21_firmware | <= 2022-03-16 | — |
| irz | ru21_firmware | <= 2022-03-16 | — |
| irz | ru21w_firmware | <= 2022-03-16 | — |
| irz | ru41_firmware | <= 2022-03-16 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2024_03_08;)
bytes
|22|tasks|22 3a|
bytes
|22|command|22 3a|
- →Detect POST requests to /api/crontab on iRZ router admin panels; the JSON body will contain 'tasks' and 'command' keys indicating crontab injection for RCE.
- →The exploit sets the HTTP header X-Requested-With: XMLHttpRequest alongside Origin and Referer matching the router URL; these headers in a POST to /api/crontab are a strong signal of exploitation. ↗
- →Monitor for creation or use of named pipe /tmp/f on router filesystems, which is a hallmark of the mkfifo-style reverse shell payload used in this exploit. ↗
- →The exploit can be discovered via Google Dork targeting exposed iRZ router admin panels; monitor for external reconnaissance against devices with this title. ↗
- →Affected hardware models include RU21, RU21w, RL21, RU41, RL01; prioritize detection and patching on these specific iRZ router models. ↗
- ·The exploit works both with and without credentials. Without credentials it relies on CSRF (victim must visit a malicious page); with valid/default credentials it achieves RCE directly with no user interaction required. ↗
- ·The crontab payload executes on the attacker-defined schedule (wildcard '*' for all time fields), meaning the shell callback may be delayed up to ~2 minutes after the malicious POST is sent. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-52c6-hmcv-vmjj: A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration pan
ghsa_unreviewed·2022-03-20
CVE-2022-27226 [HIGH] CWE-352 GHSA-52c6-hmcv-vmjj: A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration pan
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.
VulnCheck
irz ru21_firmware Cross-Site Request Forgery (CSRF)
vulncheck·2022·CVSS 8.8
CVE-2022-27226 [HIGH] irz ru21_firmware Cross-Site Request Forgery (CSRF)
irz ru21_firmware Cross-Site Request Forgery (CSRF)
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.
Affected: irz ru21_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/t
Suricata
ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)
suricata·2022-04-14·CVSS 8.8
CVE-2022-27226 [HIGH] ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)
ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2024_03_08;)
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
Fortinet
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
blogs_fortinet·2022-04-12
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Enemybot: A Look into Keksec's Latest DDoS Botnet
By Joie Salvio and Roy Tay | April 12, 2022
In mid-March, FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported
http://packetstormsecurity.com/files/166396/iRZ-Mobile-Router-Cross-Site-Request-Forgery-Remote-Code-Execution.htmlhttps://en.irz.ruhttps://github.com/SakuraSamuraii/ez-iRZhttps://johnjhacking.com/blog/cve-2022-27226/http://packetstormsecurity.com/files/166396/iRZ-Mobile-Router-Cross-Site-Request-Forgery-Remote-Code-Execution.htmlhttps://en.irz.ruhttps://github.com/SakuraSamuraii/ez-iRZhttps://johnjhacking.com/blog/cve-2022-27226/
2022-03-19
Published
Exploited in the wild