CVE-2022-36267

Name of the Vulnerable Software and Affected Versions Airspan AirSpot 5410 versions 0.3.4.1-4 and under

Description The issue concerns an unauthenticated remote command injection vulnerability. It allows the ping functionality to be called without user authentication by crafting a malicious HTTP request and injecting code in one of the parameters, enabling remote code execution. This is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi, which accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request to interact remotely with the device.

Recommendations For Airspan AirSpot 5410 versions 0.3.4.1-4 and under, consider disabling the /home/www/cgi-bin/diagnostics.cgi binary file as a temporary workaround until a patch is available. Restrict access to this file to minimize the risk of exploitation. Avoid using unsanitized data in HTTP requests to the affected device until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.