← back
CVE-2022-36267

CVE-2022-36267

EPSS 53.8%◆ VulnCheck KEV
Vexday Risk Score
57Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Proof of concept
Popular PoC on GitHub (12 stars) — exploitation code widely available.
CVSS EPSS 53.8%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
08 Aug 2022Published on NVD
20 Sep 2022Public PoC
Weaponization speed
42 daysto first PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
Affected products
n/a · n/a
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.