OS command injection in ASUS M25 NAS
CVE-2022-4221

9.8CRITICAL

Key Information:

Vendor
Asus
Status
Nas-m25
Vendor
CVE Published:
1 December 2022

Summary

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.

Affected Version(s)

NAS-M25 0 <= 1.0.1.7

References

https://onekey.com/blog/security-advisory-asus-m25-nas-vu...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Q. Kaiser, ONEKEY Research Lab
ONEKEY analysis platform
.
CVE-2022-4221 : OS command injection in ASUS M25 NAS | SecurityVulnerability.io