Login Sign Up

CVE-2022-21809

8.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to upload arbitrary malicious files to InHand Networks InRouter302 devices via the upload.cgi functionality. Exploitation can lead to remote code execution, device compromise, or network infiltration. Organizations using affected InRouter302 devices are at risk.

💻 Affected Systems

Products:
  • InHand Networks InRouter302
Versions: V3.5.4
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Devices with HTTP upload functionality enabled are vulnerable. The upload.cgi endpoint is typically accessible via web interface.

📦 What is this software?

Inrouter302 Firmware by Inhandnetworks

View all CVEs affecting Inrouter302 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network pivot, data exfiltration, or deployment of persistent malware across connected systems.

🟠

Likely Case

Unauthorized file upload enabling web shell installation for remote command execution and device control.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting a malicious HTTP request to the upload.cgi endpoint. No authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V3.5.5 or later

Vendor Advisory: https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from InHand Networks support portal. 2. Access device web interface. 3. Navigate to System > Upgrade. 4. Upload firmware file. 5. Apply update and reboot device.

🔧 Temporary Workarounds

Disable HTTP upload functionality

linux

Temporarily disable or restrict access to upload.cgi endpoint

# Modify web server configuration to block upload.cgi
# Use iptables: iptables -A INPUT -p tcp --dport 80 -m string --string "upload.cgi" --algo bm -j DROP

Network access control

linux

Restrict access to device management interface

# Firewall rule to limit access: iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with strict firewall rules
  • Implement web application firewall (WAF) to block malicious upload requests

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or SSH: cat /etc/version

Check Version:

cat /etc/version || grep -i version /proc/cpuinfo

Verify Fix Applied:

Verify firmware version is V3.5.5 or later and test upload functionality with safe test files

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /cgi-bin/upload.cgi
  • Unusual file uploads in web server logs
  • Large or suspicious file upload attempts

Network Indicators:

  • HTTP traffic to upload.cgi endpoint from untrusted sources
  • Unusual outbound connections from device after upload

SIEM Query:

source="web_logs" AND uri="/cgi-bin/upload.cgi" AND method="POST" AND size>1000000

📊 Metadata

CVE ID: CVE-2022-21809
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-377
Published: May 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21809, you might also want to check these:

CVE-2012-2666 9.8

This vulnerability in Go programming language allows local privilege escalation through predictable ...

Same vulnerability type (CWE-377)
CVE-2013-4561 9.1

CVE-2013-4561 is a temporary file handling vulnerability in OpenShift's mcollective facts update cro...

Same vulnerability type (CWE-377)
CVE-2018-16494 8.8

This vulnerability in Versa Operating System (VOS) uses an overly permissive umask setting, allowing...

Same vulnerability type (CWE-377)