CVE-2022-26995

Name of the Vulnerable Software and Affected Versions Arris TR3300 version 1.0.13

Description A command injection issue was found in the pptp function, accessible through the wan pptp.html endpoint, via the pptp fix ip, pptp fix mask, pptp fix gw, and wan dns1 stat parameters. This allows attackers to execute arbitrary commands by sending a crafted request.

Recommendations For Arris TR3300 version 1.0.13, as a temporary workaround, consider restricting access to the pptp function and the wan pptp.html endpoint to minimize the risk of exploitation. Avoid using the pptp fix ip, pptp fix mask, pptp fix gw, and wan dns1 stat parameters in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.