CVE-2022-39986
Description
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated command injection in RaspAP 2.8.0-2.8.7 via the cfg_id parameter in two OpenVPN AJAX endpoints allows arbitrary command execution.
A command injection vulnerability, CVE-2022-39986, exists in RaspAP versions 2.8.0 through 2.8.7. The flaw is located in the cfg_id parameter of the /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php scripts [2]. The application fails to sanitize user-supplied input before passing it to a shell command, allowing an attacker to inject arbitrary operating system commands [3].
The vulnerability is exploitable by an unauthenticated attacker over the network. No authentication is required, and the attacker does not need any prior access or privileges on the target system [2]. An attacker can craft a malicious HTTP request containing specially crafted input in the cfg_id parameter, which is then processed by the vulnerable PHP scripts, leading to command injection [4].
Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server user (typically www-data) [2]. This can lead to full compromise of the RaspAP device, including data exfiltration, installation of malware, or use of the device as a pivot point for further attacks within the network.
The RaspAP project addressed this vulnerability in a later release by sanitizing input with escapeshellcmd() and updating the affected files [3]. Users are strongly advised to upgrade to a version higher than 2.8.7 immediately. If an upgrade is not possible, restricting network access to the RaspAP web interface and monitoring for anomalous cfg_id values are recommended interim mitigations.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billz/raspap-webguiPackagist | >= 2.8.0, < 2.8.8 | 2.8.8 |
Affected products
2- RaspAP/RaspAPdescription
Patches
11fabc481690eSanitize post data w/ escapeshellcmd()
3 files changed · +3 −3
ajax/logging/clearlog.php+1 −1 modified@@ -5,7 +5,7 @@ require_once '../../includes/functions.php'; if (isset($_POST['logfile'])) { - $logfile = $_POST['logfile']; + $logfile = escapeshellcmd($_POST['logfile']); // truncate requested log file exec("sudo truncate -s 0 $logfile", $return);
ajax/openvpn/activate_ovpncfg.php+1 −1 modified@@ -5,7 +5,7 @@ require_once '../../includes/functions.php'; if (isset($_POST['cfg_id'])) { - $ovpncfg_id = $_POST['cfg_id']; + $ovpncfg_id = escapeshellcmd($_POST['cfg_id']); $ovpncfg_client = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_client.conf'; $ovpncfg_login = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_login.conf';
ajax/openvpn/del_ovpncfg.php+1 −1 modified@@ -5,7 +5,7 @@ require_once '../../includes/functions.php'; if (isset($_POST['cfg_id'])) { - $ovpncfg_id = $_POST['cfg_id']; + $ovpncfg_id = escapeshellcmd($_POST['cfg_id']); $ovpncfg_files = pathinfo(RASPI_OPENVPN_CLIENT_LOGIN, PATHINFO_DIRNAME).'/'.$ovpncfg_id.'_*.conf'; exec("sudo rm $ovpncfg_files", $return); $jsonData = ['return'=>$return];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7c28-wg7r-pg6fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39986ghsaADVISORY
- github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.phpghsaWEB
- github.com/RaspAP/raspap-webgui/commit/1fabc481690e008279113e18d0642c5279e3b56eghsaWEB
- github.com/RaspAP/raspap-webgui/pull/1303ghsaWEB
- medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2ghsaWEB
- packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.htmlmitre
- medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2mitre
News mentions
0No linked articles in our index yet.