CVE-2022-36557

Vulnerability

The Seiko SkyBridge MB-A100 and MB-A110 LTE/3G wireless routers, firmware version 4.2.0 and below, contain an arbitrary file upload vulnerability in the restore backup function. An attacker can upload a crafted HTML file, which the device will then execute, allowing arbitrary code execution. The issue is present in all firmware versions up to and including 4.2.0 [1].

Exploitation

To exploit this vulnerability, an attacker does not require authentication or prior access; they only need network connectivity to the device's management interface. The attacker crafts an HTML file containing malicious code (e.g., PHP or other server-side script) and uploads it via the restore backup functionality. The device processes the uploaded file without proper validation or sanitization, enabling the attacker to achieve code execution [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the device with the privileges of the web server (typically root). This leads to full compromise of the router, including the ability to intercept or redirect network traffic, access connected devices, and establish persistent backdoor access. The impact is severe as these devices are often used for IoT/M2M communications [1].

Mitigation

Seiko Solutions has released firmware version 4.2.1 to address the vulnerability. Users should update their devices to this version or later immediately. No workaround is available if the device cannot be updated, and the device should be isolated from untrusted networks until a patch is applied [1].