CVE-2022-36559

Vulnerability

An authenticated command injection vulnerability exists in Seiko SkyBridge MB-A200 routers running firmware version v01.00.04 and below [1]. The flaw is located in the Ping parameter of the ping_exec.cgi web interface script. An attacker with network access to the administrative web interface can inject arbitrary system commands by crafting a malicious Ping request.

Exploitation

To exploit this vulnerability, an attacker must have valid administrative credentials for the web interface. With those credentials, the attacker sends a specially crafted HTTP POST request to ping_exec.cgi with a malicious payload in the Ping parameter. The request is processed without proper sanitization, leading to command execution on the device.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the router operating system with root privileges. This can lead to full compromise of the device, including data exfiltration, further network attacks, or disruption of services.

Mitigation

No official patch or fixed version is mentioned in the available references [1]. Users should restrict network access to the administrative interface and consider upgrading to a newer hardware revision if available. As of the publication date (August 29, 2022), the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.