CVE-2022-45709

Vulnerability

IP-COM M50 routers running firmware version V15.11.0.33(10768) contain multiple command injection vulnerabilities in the formSetDebugCfg function. The parameters pEnable, pLevel, and pModule are not sanitized, allowing an attacker to inject arbitrary OS commands. The affected endpoint is accessible via GET requests to /action/setDebugCfg [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to the router's web interface with malicious payloads in any of the three vulnerable parameters. No authentication is required. For example, setting pEnable to -h%0aping%20x.x.x.x%20-w%2-5%0a causes the router to execute the injected ping command [1].

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary OS commands on the affected router with root or system-level privileges, leading to full device compromise. This can result in unauthorized access, data exfiltration, network pivoting, or denial of service.

Mitigation

As of publication, no official fix or updated firmware has been released by IP-COM. Users should restrict remote access to the router's management interface and monitor for vendor updates or patches. The device may be approaching end-of-life; consider replacing it with a supported model [1].