CVE-2022-47210 — OS Command Injection in Netgear Rax30 Firmware

CWE-78 — OS Command Injection CWE-77 — Command Injection3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 52.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgear Rax30 Firmware

Timeline

PublishedDec 16

Description

The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDnetgear/rax30_firmware< 1.0.9.90

Patches

Patch: www.tenable.com ↗Patch: www.tenable.com ↗

🔴Vulnerability Details

GHSA

GHSA-6mx5-j85j-5862: The default console presented to users over telnet (when enabled) is restricted to a subset of commands↗2022-12-16

▶

CVEList

CVE-2022-47210: The default console presented to users over telnet (when enabled) is restricted to a subset of commands↗2022-12-16

▶