CVE-2022-45699

Vulnerability

A command injection vulnerability exists in the administration interface of APSystems ECU-R firmware version 5203. The timezone parameter is passed unsanitized to a system shell, allowing an attacker to inject arbitrary operating system commands. No authentication or prior access is required to reach the vulnerable code path.

Exploitation

An unauthenticated remote attacker can send a crafted HTTP POST request to the administration interface, placing shell metacharacters (e.g., ;, |, or backticks) in the timezone parameter. The injection payload is executed as part of a shell command with root privileges.

Impact

Successful exploitation allows the attacker to execute arbitrary commands as the root user on the ECU-R device. This gives full control over the device, including the ability to modify configuration, exfiltrate data, or use the device as a pivot point for further attacks on the local network.

Mitigation

No official fix has been released by the vendor as of the publication date. The affected version is APSystems ECU-R 5203; earlier or later firmware versions may also be vulnerable. Administrators should isolate the ECU-R administration interface from untrusted networks (e.g., by not exposing it to the internet) until a patch is provided. The CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

[1]