CVE-2022-26582

Name of the Vulnerable Software and Affected Versions PAX A930 device with PayDroid version 7.1.1 Virgo V04.3.26T1 20210419 PAX Technology A930 PayDroid version 7.1.1 Virgo V04.4.02 20211201

Description The issue allows an attacker to gain root access through command injection in the systool client. This can be exploited if the attacker has shell access to the device. The systool server fails to check for dollar signs or backticks in user-supplied commands, leading to arbitrary command execution as root.

Recommendations For PAX A930 device with PayDroid version 7.1.1 Virgo V04.3.26T1 20210419, consider disabling the systool client until a patch is available. For PAX Technology A930 PayDroid version 7.1.1 Virgo V04.4.02 20211201, restrict access to the systool server to minimize the risk of exploitation. As a temporary workaround, avoid using user-supplied commands that contain dollar signs or backticks in the systool server until the issue is resolved.