Command Injection Vulnerability in Arris Routers
CVE-2022-26991

9.8CRITICAL

Key Information:

Vendor: Arris
Status: Sbr-ac1900p Firmware
Vendor: CVE Published:; 15 March 2022

What is CVE-2022-26991?

A command injection vulnerability exists in Arris routers, specifically in the ntp function when processing the TimeZone parameter. This flaw enables attackers to send specially crafted requests, potentially executing arbitrary commands on the affected devices. Models SBR-AC1900P, SBR-AC3200P, and SBR-AC1200P in specified versions are impacted, raising significant security concerns for users relying on these routers.

References

https://github.com/wudipjq/my_vuln/blob/main/ARRIS/vuln_6...

x_refsource_MISC

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 15, 2022
Vulnerability Reserved
Mar 14, 2022