Login Sign Up

CVE-2022-30105

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

Belkin N300 routers running firmware version 1.00.08 contain multiple remote command injection vulnerabilities in the /setting_hidden.asp script. Attackers can execute arbitrary OS commands with root privileges by sending specially crafted POST requests to vulnerable parameters. All users of affected Belkin N300 routers are at risk.

💻 Affected Systems

Products:
  • Belkin N300 Wireless Router
Versions: Firmware version 1.00.08
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration. The /setting_hidden.asp script is accessible both before and after device configuration.

📦 What is this software?

N300 Firmware by Belkin

View all CVEs affecting N300 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, intercept all network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Router takeover enabling traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound rules and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a single POST request with crafted parameters. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check Belkin website for firmware updates. If unavailable, replace device or implement workarounds.

🔧 Temporary Workarounds

Network Isolation

all

Place router behind firewall with strict inbound rules blocking all WAN access to web interface

Access Restriction

all

Configure firewall to only allow web interface access from specific management IP addresses

🧯 If You Can't Patch

  • Replace affected Belkin N300 router with a supported, patched model
  • Implement network segmentation to isolate router from critical systems

🔍 How to Verify

Check if Vulnerable:

Check firmware version via router web interface at http://router-ip/ or using nmap scan for device identification

Check Version:

curl -s http://router-ip/ | grep -i firmware || nmap -sV -p80 router-ip

Verify Fix Applied:

Verify firmware version is newer than 1.00.08. No patch verification possible as no fix exists.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /setting_hidden.asp with unusual parameter values
  • System logs showing unexpected command execution

Network Indicators:

  • POST requests to /setting_hidden.asp containing shell metacharacters like ;, |, &, $()
  • Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (url="/setting_hidden.asp" AND method="POST" AND (params CONTAINS ";" OR params CONTAINS "|" OR params CONTAINS "$" OR params CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2022-30105
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30105, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)