PT-2023-14431 · Nexxt · Nexxt Amp300
Yerodin Richards
·
Published
2023-01-04
·
Updated
2025-09-16
·
CVE-2022-44149
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nexxt Amp300 ARN02304U8 version 42.103.1.5095
Nexxt Amp300 ARN02304U8 version 80.103.2.5045
Description
The web service on Nexxt Amp300 ARN02304U8 devices allows remote OS command execution by placing &telnetd in the JSON
host field to the "ping" feature of the "goform/sysTools" component. Authentication is required.Recommendations
For version 42.103.1.5095, consider disabling the "goform/sysTools" component until a patch is available.
For version 80.103.2.5045, restrict access to the "ping" feature of the "goform/sysTools" component to minimize the risk of exploitation.
Avoid using the
host field in the affected API endpoint until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nexxt Amp300