CVE-2022-27945OS Command Injection in Netgear R8500 Firmware

CWE-78OS Command Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
5.0%
top 10.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Netgear R8500 Firmware
Timeline
PublishedMar 26
Latest updateMar 27

Description

NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDnetgear/r8500_firmware1.0.2.158

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-9729-7gh5-v22r: NETGEAR R8500 12022-03-27
CVEList
CVE-2022-27945: NETGEAR R8500 12022-03-26