CVE-2022-43466

Summary

OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CGI program.

Affected Software

VendorProductVersion RangeStatus
BUFFALO INC.WXR-5700AX7Sfirmware Ver. 1.27 and earlieraffected
BUFFALO INC.WXR-5700AX7Bfirmware Ver. 1.27 and earlieraffected
BUFFALO INC.WSR-3200AX4Sfirmware Ver. 1.26 and earlieraffected
BUFFALO INC.WSR-3200AX4Bfirmware Ver. 1.25affected
BUFFALO INC.WSR-2533DHP2firmware Ver. 1.22 and earlieraffected
BUFFALO INC.WSR-A2533DHP2firmware Ver. 1.22 and earlieraffected
BUFFALO INC.WSR-2533DHP3firmware Ver. 1.26 and earlieraffected
BUFFALO INC.WSR-A2533DHP3firmware Ver. 1.26 and earlieraffected
BUFFALO INC.WSR-2533DHPL2firmware Ver. 1.03 and earlieraffected
BUFFALO INC.WSR-2533DHPLSfirmware Ver. 1.07 and earlieraffected
BUFFALO INC.WSR-2533DHPLBfirmware Ver. 1.05affected
BUFFALO INC.WEX-1800AX4firmware Ver. 1.13 and earlieraffected
BUFFALO INC.WEX-1800AX4EAfirmware Ver. 1.13 and earlieraffected

Weaknesses

  • OS command injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References