CVE-2022-45717

Vulnerability

A remote command injection vulnerability exists in IP-COM M50 routers running firmware version V15.11.0.33(10768). The flaw resides in the formSetUSBPartitionUmount function, where the usbPartitionName parameter is not properly sanitized before being used in OS commands. An attacker can inject arbitrary commands by crafting a GET request to the /action/umountUSBPartition endpoint [1].

Exploitation

An unauthenticated attacker with network access to the router can exploit this vulnerability by sending a specially crafted GET request to the vulnerable endpoint. The usbPartitionName parameter is set to a payload containing command injection sequences, such as -h%0aping%20x.x.x.x%20-w%2-5%0a, which causes the router to execute the injected command. No authentication or user interaction is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands on the router with root privileges. This can lead to full compromise of the device, including unauthorized access to network traffic, modification of device configuration, and potential use as a pivot point for further attacks on the internal network [1].

Mitigation

As of the publication date (2022-12-23), no official firmware patch or workaround has been released by IP-COM. Users are advised to monitor the vendor's support channels for updates and consider isolating the affected device from untrusted networks until a fix is available [1].