CVE-2022-36267
published 2022-08-08CVE-2022-36267: In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
53.75%
98.9th percentile
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airspan | airspot_5410_firmware | <= 0.3.4.1-4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to /cgi-bin/diagnostics.cgi on Airspan AirSpot 5410 devices, especially those lacking a session/auth cookie. ↗
- →Alert on POST body to diagnostics.cgi containing shell metacharacters (backticks, %60, %3E%26, /dev/tcp) in the targetIP parameter, indicating command injection attempt. ↗
- →Detect POST requests to diagnostics.cgi where the 'targetIP' field contains values other than a valid IP address (e.g., contains backticks, semicolons, or URL-encoded shell operators). ↗
- →Flag outbound TCP connections from the AirSpot device process space (diagnostics.cgi / sh) to arbitrary external hosts, indicative of a reverse shell being established. ↗
- ·The vulnerable endpoint is served over HTTPS (port 443 by default) with no authentication required; SSL inspection may be needed to inspect POST body contents for detection. ↗
- ·All firmware versions 0.3.4.1-4 and below are affected; ensure version checks target this range when scoping detection or patching. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w4rx-v2mp-rhf4: In Airspan AirSpot 5410 version 0
ghsa_unreviewed·2022-08-09
CVE-2022-36267 [CRITICAL] CWE-77 GHSA-w4rx-v2mp-rhf4: In Airspan AirSpot 5410 version 0
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
VulnCheck
Airspan AirSpot 5410 version 0.3.4.1-4 and under Remote Code Execution
vulncheck·2022·CVSS 9.8
CVE-2022-36267 [CRITICAL] Airspan AirSpot 5410 version 0.3.4.1-4 and under Remote Code Execution
Airspan AirSpot 5410 version 0.3.4.1-4 and under Remote Code Execution
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
Affected: airspan airspot_5410_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigati
No detection rules found.
Checkpoint
20th February – Threat Intelligence Report
blogs_checkpoint·2023-02-20
CVE-2023-21823 20th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th February, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Check Point Research identified a campaign against entities in Armenia, using a new version of OxtaRAT – an AutoIt-based backdoor for remote access and desktop surveillance. The threat actors have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years, amid rising tens
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geut
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
http://packetstormsecurity.com/files/168047/AirSpot-5410-0.3.4.1-4-Remote-Command-Injection.htmlhttps://gist.github.com/Nwqda/e82b3155401b094372195fdaa9b54833https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdfhttp://packetstormsecurity.com/files/168047/AirSpot-5410-0.3.4.1-4-Remote-Command-Injection.htmlhttps://gist.github.com/Nwqda/e82b3155401b094372195fdaa9b54833https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
2022-08-08
Published
Exploited in the wild