Lucene search

[email protected]NVD:CVE-2022-36265

HistoryAug 08, 2022 - 3:15 p.m.

CVE-2022-36265

2022-08-0815:15:08

[email protected]

web.nvd.nist.gov

airspan airspot

hidden command

firmware analysis

root privileges

compromise threat

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

38.5%

JSON

In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Hidden system command web page. After performing a reverse engineering of the firmware, it was discovered that a hidden page not listed in the administration management interface allows a user to execute Linux commands on the device with root privileges. An authenticated malicious threat actor can use this page to fully compromise the device.

Affected configurations

Nvd

Node

airspanairspot_5410_firmwareRange≤0.3.4.1-4

AND

airspanairspot_5410Match-

VendorProductVersionCPE
airspanairspot_5410_firmware*cpe:2.3:o:airspan:airspot_5410_firmware:*:*:*:*:*:*:*:*
airspanairspot_5410-cpe:2.3:h:airspan:airspot_5410:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
airspan	airspot_5410_firmware	*	cpe:2.3:o:airspan:airspot_5410_firmware::::::::
airspan	airspot_5410	-	cpe:2.3:h:airspan:airspot_5410:-:::::::*

References

gist.github.com/Nwqda/e82b3155401b094372195fdaa9b54833

wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

38.5%

JSON

Related for NVD:CVE-2022-36265

cvelist1 cve1 prion1