CVE-2022-36265

In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Hidden system command web page. After performing a reverse engineering of the firmware, it was discovered that a hidden page not listed in the administration management interface allows a user to execute Linux commands on the device with root privileges. An authenticated malicious threat actor can use this page to fully compromise the device.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
airspanairspot_5410_firmware
𝑥
≤ 0.3.4.1-4
𝑥
= Vulnerable software versions
References
https://gist.github.com/Nwqda/e82b3155401b094372195fdaa9b54833
https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
https://gist.github.com/Nwqda/e82b3155401b094372195fdaa9b54833
https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf