CVE-2022-25597

ASUS RT-AC86Us LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
twcertCNA
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
asusrt-ac86u_firmware
3.0.0.4.386.45956
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.twcert.org.tw/tw/cp-132-5794-09c33-1.html
https://www.twcert.org.tw/tw/cp-132-5794-09c33-1.html