CVE-2022-43390

high-risk

Published 2023-01-11

A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request.

Do I need to act?

2.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Lte7480-M804 Firmware

Lte7490-M904 Firmware

Nebula Nr5101 Firmware

Nebula Nr7101 Firmware

Nr5101 Firmware

Nr7101 Firmware

Nr7102 Firmware

Dx3301-T0 Firmware

Dx4510-B1 Firmware

Dx5401-B0 Firmware

Emg3525-T50B Firmware

Emg5523-T50B Firmware

Emg5723-T50K Firmware

Ex3301-T0 Firmware

Ex3510-B0 Firmware

Ex5401-B0 Firmware

Ex5501-B0 Firmware

Ex5510-B0 Firmware

Ex5512-T0 Firmware

Ex5600-T1 Firmware

Affected Vendors

Zyxel

References (2)

Vendor Advisory https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advis...

/ 100

high-risk

Severity 21/34 · High

Exploitability 6/34 · Minimal

Exposure 24/34 · High