CVE-2022-50789 – This is a command injection vulnerability in SO... (How to Fix)

Q: What is the severity of CVE-2022-50789?

CVE-2022-50789 has a CVSS score of 7.8 (HIGH). This is a command injection vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco systems up to version 2.x. Local authenticated users can create malicious files in /tmp, then unauthenticated attackers can trigger command execution via HTTP POST to dns.php. This affects all systems running vulnerable versions of these SOUND4 products.

📋 TL;DR

This is a command injection vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco systems up to version 2.x. Local authenticated users can create malicious files in /tmp, then unauthenticated attackers can trigger command execution via HTTP POST to dns.php. This affects all systems running vulnerable versions of these SOUND4 products.

💻 Affected Systems

Products:

SOUND4 IMPACT
SOUND4 FIRST
SOUND4 PULSE
SOUND4 Eco

Versions: All versions up to and including 2.x

Operating Systems: Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the dns.php script which appears to be part of the web interface. Systems with web access enabled are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing attackers to install persistent backdoors, exfiltrate sensitive data, or pivot to other network systems.

🟠

Likely Case

Remote code execution leading to system takeover, data theft, or deployment of ransomware/malware on affected devices.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.

🌐 Internet-Facing: HIGH - Unauthenticated attackers can exploit this remotely via HTTP POST requests to the vulnerable endpoint.

🏢 Internal Only: HIGH - Even internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details and proof-of-concept code are publicly available. The attack requires local file creation first, but this can be combined with other vulnerabilities or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sound4.com/

Restart Required: No

Instructions:

Check vendor website for security updates. If no patch is available, apply workarounds immediately.

🔧 Temporary Workarounds

Block access to dns.php

linux

Remove or restrict access to the vulnerable dns.php script

mv /path/to/dns.php /path/to/dns.php.disabled
chmod 000 /path/to/dns.php

Web server access control

linux

Configure web server to block POST requests to dns.php

# For Apache: add to .htaccess or virtual host config
<Files "dns.php">
    Order Deny,Allow
    Deny from all
</Files>
# For Nginx: add to server block
location ~ /dns\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Isolate affected systems in a separate network segment with strict firewall rules
Implement web application firewall (WAF) rules to block malicious requests to dns.php

🔍 How to Verify

Check if Vulnerable:

Check if dns.php exists in web directory and test with curl: curl -X POST http://target/dns.php

Check Version:

Check system documentation or web interface for version information

Verify Fix Applied:

Verify dns.php is inaccessible or removed: curl -X POST http://target/dns.php should return 403/404

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /dns.php
Unusual command execution in system logs
File creation in /tmp with .dns.pid extension

Network Indicators:

HTTP POST requests to dns.php endpoint
Unusual outbound connections from affected systems

SIEM Query:

source="web_logs" AND (uri="/dns.php" OR uri LIKE "%/dns.php") AND method="POST"

📊 Metadata

CVE ID: CVE-2022-50789

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.7% exploit probability (71.5th percentile)

Published: December 30, 2025

Last Updated: January 16, 2026

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/247922 Third Party Advisory
https://packetstormsecurity.com/files/170260/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-dns.php-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.sound4.com/ Product
https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-conditional-command-injection-via-dnsphp Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5733.php Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50789, you might also want to check these: