CVE-2022-4874
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a "fake login" to give the request an active session to load the file and not redirect to the login page.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Netcomm | NF20 | R6B025 | affected |
| Netcomm | NF20MESH | R6B025 | affected |
| Netcomm | NL1902 | R6B025 | affected |
Weaknesses
- CWE-288
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/scarvell/advisories/blob/main/2022_netcomm_nf20mesh_unauth_rce.md
- https://www.kb.cert.org/vuls/id/986018
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.