CVE-2022-27226

moderate-risk
Published 2022-03-19

A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

Do I need to act?

~
3.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50832
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (5)

Ru21 Firmware
Ru21W Firmware
Rl21 Firmware
Ru41 Firmware
Rl01 Firmware

Affected Vendors

Irz

References (8)

Exploit http://packetstormsecurity.com/files/166396/iRZ-Mobile-Router-Cross-Site-Request...
Product https://en.irz.ru
Exploit https://github.com/SakuraSamuraii/ez-iRZ
Exploit https://johnjhacking.com/blog/cve-2022-27226/
Exploit http://packetstormsecurity.com/files/166396/iRZ-Mobile-Router-Cross-Site-Request...
Product https://en.irz.ru
Exploit https://github.com/SakuraSamuraii/ez-iRZ
Exploit https://johnjhacking.com/blog/cve-2022-27226/
48
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 6/34 · Minimal
Exposure 12/34 · Low